CVE-2024-32758: exacqVision Client Info Disclosure Flaw

CVE-2024-32758 Overview

CVE-2024-32758 is a critical cryptographic vulnerability affecting Johnson Controls exacqVision video management system. Under certain circumstances, the communication between exacqVision Client and exacqVision Server uses insufficient key length and exchange, potentially allowing attackers to intercept and decrypt sensitive communications. This weakness (CWE-326: Inadequate Encryption Strength) can expose video surveillance data and system credentials to unauthorized parties.

Critical Impact

Network-accessible video surveillance systems may be vulnerable to communication interception, potentially exposing sensitive video feeds and authentication credentials to attackers who can position themselves to intercept client-server traffic.

Affected Products

• Johnson Controls exacqVision Client (all vulnerable versions)
• Johnson Controls exacqVision Server (all vulnerable versions)

Discovery Timeline

• August 1, 2024 - CVE-2024-32758 published to NVD
• August 9, 2024 - Last updated in NVD database

Technical Details for CVE-2024-32758

Vulnerability Analysis

This vulnerability stems from inadequate encryption strength in the communication channel between exacqVision Client and exacqVision Server components. The cryptographic weakness involves insufficient key length during the key exchange process, which fundamentally undermines the confidentiality protections that encryption is meant to provide.

The exacqVision platform is a video management system commonly deployed in physical security environments, including critical infrastructure facilities. When client applications connect to the server component, cryptographic protocols are used to protect the communication channel. However, under certain conditions, this implementation uses cryptographic keys that do not meet modern security standards, making the encrypted communications susceptible to cryptanalytic attacks.

An attacker with network visibility to traffic between exacqVision components could potentially capture encrypted communications and, due to the weak key strength, successfully decrypt the captured data. This could expose video surveillance feeds, user credentials, system configuration data, and other sensitive information transmitted between client and server.

Root Cause

The root cause of this vulnerability is the implementation of cryptographic key exchange mechanisms that utilize insufficient key lengths. CWE-326 (Inadequate Encryption Strength) describes scenarios where cryptographic algorithms are used with key lengths that do not provide adequate protection against brute-force or cryptanalytic attacks. Modern cryptographic standards require minimum key lengths (e.g., 2048-bit for RSA, 256-bit for AES) to resist attacks from contemporary computing capabilities.

Attack Vector

The attack vector is network-based, requiring the attacker to have visibility to network traffic between exacqVision Client and Server components. The attack requires high complexity as the attacker must successfully capture and cryptanalyze the communications. Some user interaction is also required for successful exploitation. Once traffic is captured, the weak key length allows for potential decryption through exhaustive key search or other cryptanalytic techniques applicable to short key lengths.

Detection Methods for CVE-2024-32758

Indicators of Compromise

• Unusual network traffic patterns between exacqVision Client and Server endpoints
• Evidence of network sniffing or packet capture tools targeting exacqVision communication ports
• Unexplained authentication failures or session anomalies in exacqVision logs
• Signs of man-in-the-middle positioning on network segments carrying exacqVision traffic

Detection Strategies

• Monitor network traffic for signs of passive interception or ARP spoofing on segments containing exacqVision infrastructure
• Analyze TLS/SSL handshake parameters in exacqVision communications to identify weak cipher suite negotiations
• Implement network-based intrusion detection rules to flag unusual traffic patterns to video management system endpoints
• Review exacqVision server logs for connection anomalies or authentication irregularities

Monitoring Recommendations

• Deploy network monitoring to detect potential man-in-the-middle attack positioning
• Implement deep packet inspection for connections to exacqVision infrastructure
• Monitor for unauthorized network reconnaissance targeting video management systems
• Establish baseline traffic patterns for exacqVision communications to identify anomalies

How to Mitigate CVE-2024-32758

Immediate Actions Required

• Consult the Johnson Controls Security Advisory for the latest patch information and guidance
• Review the CISA ICS Advisory ICSA-24-214-01 for detailed mitigation steps
• Isolate exacqVision infrastructure on dedicated network segments with strict access controls
• Implement network segmentation to limit potential attacker positioning for traffic interception
• Enable VPN or additional encryption layers for exacqVision communications where possible

Patch Information

Johnson Controls has released guidance addressing this vulnerability. Organizations should review the official Johnson Controls Security Advisory for specific patch versions and update instructions. CISA has also published ICS Advisory ICSA-24-214-01 providing additional context and recommendations for affected organizations.

Workarounds

• Implement network segmentation to isolate exacqVision components from untrusted network segments
• Deploy VPN tunnels or additional transport-layer encryption for client-server communications
• Restrict network access to exacqVision infrastructure using firewall rules and access control lists
• Consider implementing 802.1X network access control to limit network visibility of exacqVision traffic
• Monitor and audit network access to segments containing video management infrastructure