CVE-2024-32752 Overview
CVE-2024-32752 is a missing authentication vulnerability affecting Johnson Controls iSTAR door controllers running firmware versions prior to 6.6.B. The vulnerability exists because the iSTAR door controllers do not support authenticated communications with the ICU (Intelligent Controller Unit), potentially allowing attackers to gain unauthorized access to physical access control systems.
Critical Impact
Attackers with network access can potentially manipulate door access controls without authentication, compromising physical security infrastructure in facilities using affected iSTAR controllers.
Affected Products
- Johnson Controls iSTAR door controllers running firmware prior to version 6.6.B
- iSTAR controllers communicating with ICU systems without authentication
Discovery Timeline
- June 6, 2024 - CVE-2024-32752 published to NVD
- April 24, 2025 - Last updated in NVD database
Technical Details for CVE-2024-32752
Vulnerability Analysis
This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), which represents a fundamental security flaw where the affected system fails to require authentication before allowing access to critical functionality. In the context of physical access control systems like the iSTAR door controllers, this weakness is particularly severe as it directly impacts the integrity and availability of security-critical infrastructure.
The iSTAR door controllers, when running firmware versions prior to 6.6.B, communicate with the ICU component without requiring authentication. This design flaw means that any entity capable of reaching the controller over the network can potentially interact with it as if they were a legitimate management system.
Root Cause
The root cause of CVE-2024-32752 lies in the firmware implementation of the iSTAR door controllers. Prior to version 6.6.B, the communication protocol between the door controller and the ICU lacked authentication mechanisms. This means the controller would accept and process commands from any network source capable of establishing a connection, without verifying the identity or authorization of the requesting system.
Attack Vector
The vulnerability is exploitable over the network, requiring no authentication or user interaction. An attacker with network access to the iSTAR controller could potentially:
- Send unauthorized commands to the door controller
- Manipulate access control decisions (lock/unlock doors)
- Disrupt normal door controller operations
- Intercept or modify communications between the ICU and door controllers
The attack does not require any privileges or user interaction, making it particularly dangerous in environments where network segmentation is insufficient.
Detection Methods for CVE-2024-32752
Indicators of Compromise
- Unexpected network connections to iSTAR door controllers from unauthorized IP addresses
- Anomalous command sequences or communication patterns between ICU and door controllers
- Unauthorized door unlock events or access control modifications not initiated by administrators
- Log entries indicating controller communication from unrecognized sources
Detection Strategies
- Monitor network traffic to and from iSTAR door controllers for unauthorized connection attempts
- Implement network intrusion detection systems (NIDS) with rules specific to iSTAR controller communication protocols
- Review access control logs for unauthorized door state changes or configuration modifications
- Deploy behavioral analytics to detect deviations from normal controller communication patterns
Monitoring Recommendations
- Segment iSTAR door controllers on isolated network segments with strict access controls
- Enable comprehensive logging on all access control system components
- Implement continuous monitoring of network traffic flows involving physical security infrastructure
- Establish baseline communication patterns and alert on deviations
How to Mitigate CVE-2024-32752
Immediate Actions Required
- Upgrade iSTAR door controller firmware to version 6.6.B or later immediately
- Implement network segmentation to isolate access control systems from general network traffic
- Review and restrict network access to iSTAR controllers to authorized management systems only
- Conduct an audit of access control logs to identify any potential unauthorized access
Patch Information
Johnson Controls has addressed this vulnerability in firmware version 6.6.B and later. Organizations should update their iSTAR door controllers to the latest available firmware version. For detailed patch information and guidance, refer to the CISA ICS Advisory ICSA-24-158-04 and the Johnson Controls Product Security Advisory JCI-PSA-2024-06.
Workarounds
- Implement strict network segmentation to prevent unauthorized network access to door controllers
- Deploy firewall rules to restrict communication to iSTAR controllers from only authorized ICU systems
- Use VPN or encrypted tunnels for any remote management access to the access control infrastructure
- Monitor for and block any unauthorized connection attempts to controller management interfaces
# Example network segmentation firewall rule (adapt to your environment)
# Allow only authorized ICU system to communicate with iSTAR controllers
iptables -A INPUT -s <ICU_IP_ADDRESS> -d <ISTAR_CONTROLLER_IP> -j ACCEPT
iptables -A INPUT -d <ISTAR_CONTROLLER_IP> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
