CVE-2024-32861 - Vulnerability Details - OpenCVE

Under certain circumstances the impacted Software House C•CURE 9000 installer will utilize unnecessarily wide permissions.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00058.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Johnsoncontrols Subscribe	Software House C-cure 9000 Subscribe

No data.

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-30647	Under certain circumstances the impacted Software House C•CURE 9000 installer will utilize unnecessarily wide permissions.

Fixes

Solution

• Remove Full control and Write permissions. For non-administrator accounts, limit permissions to Read & Execute on the following path: o C:\CouchDB\bin

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/ICSA-24-191-05
https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

History

Mon, 13 Jan 2025 14:45:00 +0000

Type	Values Removed	Values Added
Description	Under certain circumstances the Software House C●CURE 9000 Site Server provides insufficient protection of directories containing executables.	Under certain circumstances the impacted Software House C•CURE 9000 installer will utilize unnecessarily wide permissions.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: jci

Published: 2024-07-16T14:36:51.171Z

Updated: 2025-07-21T15:57:46.437Z

Reserved: 2024-04-19T13:45:43.928Z

Link: CVE-2024-32861

Vulnrichment

Updated: 2024-08-02T02:20:35.618Z

NVD

Status : Awaiting Analysis

Published: 2024-07-16T15:15:12.037

Modified: 2025-01-13T15:15:08.383

Link: CVE-2024-32861

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-276

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32861", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "state": "PUBLISHED", "assignerShortName": "jci", "dateReserved": "2024-04-19T13:45:43.928Z", "datePublished": "2024-07-16T14:36:51.171Z", "dateUpdated": "2025-07-21T15:57:46.437Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Software House C\u2022CURE 9000 Installer", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "2.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Reid Wightman of Dragos"}], "datePublic": "2024-07-16T14:32:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Under certain circumstances the impacted Software House C\u2022CURE 9000 installer will utilize unnecessarily wide permissions."}], "value": "Under certain circumstances the impacted Software House C\u2022CURE 9000 installer will utilize unnecessarily wide permissions."}], "impacts": [{"capecId": "CAPEC-653", "descriptions": [{"lang": "en", "value": "CAPEC-653: Use of Known Operating System Credentials"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276: Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2025-07-21T15:57:46.437Z"}, "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/ICSA-24-191-05"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\u2022 Remove Full control and Write permissions. For non-administrator accounts, limit permissions to Read & Execute on the following path:<br>\u2003\u2003\u2003o C:\\CouchDB\\bin <br><br>"}], "value": "\u2022 Remove Full control and Write permissions. For non-administrator accounts, limit permissions to Read & Execute on the following path:\n\u2003\u2003\u2003o C:\\CouchDB\\bin"}], "source": {"discovery": "UNKNOWN"}, "title": "Software House C\u2022CURE - CouchDB executable protection", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "johnsoncontrols", "product": "software_house_c-cure_9000", "cpes": ["cpe:2.3:a:johnsoncontrols:software_house_c-cure_9000:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.00.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-16T14:55:26.330499Z", "id": "CVE-2024-32861", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-16T14:57:10.115Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:20:35.618Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/ICSA-24-191-05", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/ICSA-24-191-05", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:20:35.618Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32861", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-16T14:55:26.330499Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:johnsoncontrols:software_house_c-cure_9000:*:*:*:*:*:*:*:*"], "vendor": "johnsoncontrols", "product": "software_house_c-cure_9000", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.00.3"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-16T14:57:06.964Z"}}], "cna": {"title": "Software House C\u2022CURE - CouchDB executable protection", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Reid Wightman of Dragos"}], "impacts": [{"capecId": "CAPEC-653", "descriptions": [{"lang": "en", "value": "CAPEC-653: Use of Known Operating System Credentials"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Johnson Controls", "product": "Software House C\u2022CURE 9000 Installer", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.8"}], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "\u2022 Remove Full control and Write permissions. For non-administrator accounts, limit permissions to Read & Execute on the following path:\n\u2003\u2003\u2003o C:\\CouchDB\\bin", "supportingMedia": [{"type": "text/html", "value": "\u2022 Remove Full control and Write permissions. For non-administrator accounts, limit permissions to Read & Execute on the following path:<br>\u2003\u2003\u2003o C:\\CouchDB\\bin <br><br>", "base64": false}]}], "datePublic": "2024-07-16T14:32:00.000Z", "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/ICSA-24-191-05"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Under certain circumstances the impacted Software House C\u2022CURE 9000 installer will utilize unnecessarily wide permissions.", "supportingMedia": [{"type": "text/html", "value": "Under certain circumstances the impacted Software House C\u2022CURE 9000 installer will utilize unnecessarily wide permissions.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-276", "description": "CWE-276: Incorrect Default Permissions"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2025-07-21T15:57:46.437Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32861", "state": "PUBLISHED", "dateUpdated": "2025-07-21T15:57:46.437Z", "dateReserved": "2024-04-19T13:45:43.928Z", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "datePublished": "2024-07-16T14:36:51.171Z", "assignerShortName": "jci"}, "dataVersion": "5.1"}