JCI Software House C-CURE 9000, 2 High Vulnerabilities Analyzed
Two months after a high-severity vulnerability in the Software House C-Cure 9000 management system was disclosed, two more high-severity vulnerabilities impacting C-Cure 9000 were disclosed.
In this report, we examine the practical risks of both disclosed vulnerabilities, including comments from JCI and more.
Also, see JCI Software House C-CURE 9000 Vulnerability 2024 Analyzed and JCI Illustra Essentials Gen 4 IP Cameras - 1 Critical, 3 Medium Vulnerabilities.
Executive *******
***** *** ***** ********* *************** ********** poor *********** *** ******** ******** ********* being **** ** ****-**** **** *******. *** ********* **** *** ******** scoring *** **** (***-****-***********-****-*****) *** **** ** **** *** be ********* ******** ******* ** ******** being *************, ***** ************* ******* **** the****-******** ************* ********* ~* ****** ********** *** ***** ***** ****** ** "high-severity" ***************.
************, ** ***** ******* *** *** cloud-managed, **** ***** **** ******** ****** / ******* *** *********** *********** ** ensure ******* *** *** **********. ** such, ** ******* **** ** ***** systems **** ****** **********. ** *** does *** ******** **** ******** ******** and ********* *****, ** ****** *** C-Cure **** ***** ** ****** ***** systems *** ** ** **** *** on *** **** ******* *******.
Use ** **** *********** (***-****-*****)
*** ***** ************* (***-****-*****) ********-**** **** *******, ******** **** *********** ** ** used, *** ******* ******** ********** *** parties ******** ***** ******* ** **** specific ******. **** ***** ******* (*) hard-coded *********, (*) ******* *********, (*) weak **************, *** (*) **** ******** requirements, *** ** ***** *** **** practices *** ***** **** *********.
******** *******:
******** ***** *•**** ****, ******* *.** and *****
**********:
****** ******** ***** *•**** **** ** at ***** ******* *.**
*******, *** **** *** ******** ******** the **** ******** ******** *** ********.
Incorrect ******* *********** (***-****-*****)
*** ****** (***-****-*****) ******* ****-**** **** **********, ******** ********** **** *********** ** non-admin *****, ******** **** ** **** changes / ***** ** ***** **** contain *********** *** ***** **** *** compromise (** ***** ********) *******.
*** *** *** ******** ** ******** the **** ***** *********** **** ***-***** accounts:
******** ********:
******** ***** *•**** ****, **** ******, version *.**.* *** *****
**********:
****** ***** *********** **** *:\*******\*** ****** within ******** ***** *●**** **** **** Server *** ***-**************.
*******, ** ** **** *********, **** is ** ******** / ******** *********** in *******, *** **** ******* *** likely ********** ** **** ******.
Vague ***********, ***** *********
***** *********** *** *** ******* ********, JCI's *********** / ******* ** **** vulnerability **** **** / ***** *** potentially ********** ** **** ***, "***** certain *************..." *******, *** ********** ** technically ******* **********, *** ***** **** go **** * ****** ** ******** fix ****. ** ** **** ******** for ***** ** ** ****, *** it ** *** ***** **** * simple ******** ****** ** * ******.
**** **** ******* *** **** *** only ****** *** ********** ** ***** website *** ***** **** ********* ** these ***************, *** *** *** ******** answer *** ********* / ******* **** detail ********* **** *** ********* **** had ****** *** ****** ******** ** their ****:
** * ****** ** *****, ******* and *********** *********, ** **** *** quality, *********** *** ******** ** *** products *********. ** *** ****** ********** guidance ********* ** *** *********, *** guidance ** ********* ** *** ********* guides *** ********** ********.
*** ****** ******** ** *** ******* on *** *******:*****://***.***************.***/*****-******/*************/********-**********.
***** **** **** ********* *** **** day ** ****'* **** (*,*), **** *** ********** *** ****** on ***'* ********* ***** *** *******(*** ******* *********** *****):
** ** ******* *** ******** ** general *** **** ***** ******** ***************, since ** ** *** **** **** technics ** ******* ***** ** (***********, panels, ****** **********, ***.) ******* **** cyber-attacks. ** *** ******* ******* ******* that *** ***** **** ** *** power ****, ***** ******* ******* *** others. ** ***** ** ****** *** devices, ** **** ** * **** technology ** **** *** ****** ************** to ****** ** *** ***********, **** way ** **** ****** *** ****.