Latest Johnson Controls Software House iStar Pro Door Controller vulnerability #
Johnson Controls has disclosed a vulnerability in their iStar Pro Door Controller product.
CVE-2024-32752 is rated high with CVSS score of 8.8 and allows an attacker to perform a machine-in-the-middle (MITM).
What is the impact? #
Under certain circumstances, communication between the ICU tool and an iStar Pro door controller is susceptible to machine-in-the-middle attacks which could impact door control and configuration.
Are updates or workarounds available? #
The iSTAR Pro controller has reached its end-of-support period and no further firmware updates will be provided. However, the iSTAR Pro has a physical dip switch located on its GCM board, labeled S4, that can be configured to block out communications to the ICU tool. Please consult the iSTAR Pro Installation and Configuration Guide for more details on how to set the dip switch to mitigate this vulnerability.
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-06 v1.
How do I find potentially vulnerable systems with runZero? #
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
hw:iStar
