CVE-2024-0912 – This vulnerability causes Microsoft IIS servers... (How to Fix)

Q: What is the severity of CVE-2024-0912?

CVE-2024-0912 has a CVSS score of 4.2 (MEDIUM). This vulnerability causes Microsoft IIS servers hosting C•CURE 9000 Web Server to log Windows credential details in log files under certain circumstances. This affects organizations using C•CURE 9000 Web Server on IIS. There is no impact to non-web service interfaces or prior versions of C•CURE 9000.

📋 TL;DR

This vulnerability causes Microsoft IIS servers hosting C•CURE 9000 Web Server to log Windows credential details in log files under certain circumstances. This affects organizations using C•CURE 9000 Web Server on IIS. There is no impact to non-web service interfaces or prior versions of C•CURE 9000.

💻 Affected Systems

Products:

C•CURE 9000 Web Server

Versions: C•CURE 9000 Web Server versions prior to 3.10.0

Operating Systems: Windows Server with IIS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects web service interfaces on IIS; non-web interfaces and prior C•CURE 9000 versions are not affected.

📦 What is this software?

Software House C Cure 9000 Siteserver by Johnsoncontrols

View all CVEs affecting Software House C Cure 9000 Siteserver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to log files containing Windows credentials, potentially leading to credential theft, lateral movement, and privilege escalation within the network.

🟠

Likely Case

Credential exposure in log files that could be accessed by unauthorized users or attackers who have already compromised the system, leading to credential harvesting.

🟢

If Mitigated

Limited impact with proper log file access controls and monitoring, though credentials remain exposed in logs.

🌐 Internet-Facing: MEDIUM - Web servers exposed to the internet increase attack surface for log file access, but exploitation requires accessing logs.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could access logs containing credentials for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires accessing log files containing the credentials, which typically requires some level of system access or log exposure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: C•CURE 9000 Web Server version 3.10.0

Vendor Advisory: https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2024/jci-psa-2024-04.pdf

Restart Required: Yes

Instructions:

1. Download C•CURE 9000 Web Server version 3.10.0 from Johnson Controls. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the IIS service and verify functionality.

🔧 Temporary Workarounds

Restrict IIS Log File Access

windows

Apply strict file system permissions to IIS log directories to prevent unauthorized access.

icacls "C:\inetpub\logs\LogFiles" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /T

Enable Log File Encryption

windows

Use Windows EFS or third-party encryption to protect log files containing sensitive data.

cipher /e /s:"C:\inetpub\logs\LogFiles"

🧯 If You Can't Patch

Implement strict access controls on IIS log directories to prevent unauthorized access.
Regularly monitor and audit access to IIS log files for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check C•CURE 9000 Web Server version in application interface or configuration files; versions prior to 3.10.0 are vulnerable.

Check Version:

Check C•CURE 9000 Web Server version through the application admin interface or configuration files.

Verify Fix Applied:

Verify installation of version 3.10.0 and check that Windows credentials are no longer logged in IIS logs during normal operation.

📡 Detection & Monitoring

Log Indicators:

Windows credential strings appearing in IIS log files
Unauthorized access attempts to IIS log directories

Network Indicators:

Unusual file access patterns to log directories from non-admin accounts

SIEM Query:

EventID=4663 AND ObjectName LIKE '%LogFiles%' AND AccessMask='0x10000' AND SubjectUserName NOT IN ('SYSTEM', 'Administrators')

📊 Metadata

CVE ID: CVE-2024-0912

CVSS v3 Score: 4.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-532

Published: June 6, 2024

Last Updated: November 21, 2024

🔗 References

https://www.cisa.gov/news-events/ics-advisories/icsa-24-135-03 Third Party Advisory,US Government Resource
https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2024/jci-psa-2024-04.pdf Product
https://www.cisa.gov/news-events/ics-advisories/icsa-24-135-03 Third Party Advisory,US Government Resource
https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2024/jci-psa-2024-04.pdf Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0912, you might also want to check these: