CVE-2024-32754 is a vulnerability identified in the Johnson Controls Kantech KT1 Door Controller, Revision 01. The issue arises when the device is in its factory reset mode, awaiting initial setup. During this state, the controller broadcasts sensitive information including its MAC address, serial number, and firmware version over the network. This broadcast occurs only prior to configuration; once the device is set up, it ceases to transmit this data. The vulnerability is classified under CWE-200, which pertains to the exposure of sensitive information to unauthorized actors. The CVSS v3.1 base score is 3.1, indicating a low severity level. The vector string (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) reflects that the attack vector requires adjacent network access, high attack complexity, no privileges, no user interaction, and impacts only confidentiality with low impact. No known exploits are currently reported in the wild, and no patches have been published yet. The exposure of MAC address, serial number, and firmware version could potentially aid an attacker in reconnaissance activities, such as identifying device presence, fingerprinting device versions, or planning targeted attacks. However, since the broadcast only occurs during factory reset mode, the window of exposure is limited. Additionally, the requirement for adjacent network access and high attack complexity reduces the likelihood of exploitation. The vulnerability does not affect the integrity or availability of the device, nor does it require authentication or user interaction to observe the broadcasted information.

For European organizations, the impact of this vulnerability is primarily related to information disclosure during device provisioning phases. Organizations using the Kantech KT1 Door Controller in physical security infrastructure might inadvertently expose device identifiers and firmware details to nearby unauthorized actors during installation or reset procedures. This could facilitate targeted reconnaissance by adversaries aiming to map security infrastructure or identify devices with known firmware versions for future exploitation. However, since the exposure is limited to factory reset mode and requires proximity or access to the local network segment, the risk of widespread exploitation is low. The confidentiality impact is limited to device metadata rather than sensitive personal or operational data. There is no direct impact on system integrity or availability, so operational disruption is unlikely. European organizations with extensive physical security deployments in sensitive environments (e.g., government buildings, critical infrastructure, or corporate headquarters) should be aware that attackers with physical or network adjacency could gather device information during setup phases, potentially aiding in more sophisticated attacks later.

To mitigate this vulnerability effectively, European organizations should implement the following specific measures: 1. Physical Security Controls: Restrict physical and network access to areas where door controllers are installed, especially during installation or maintenance phases, to prevent unauthorized actors from being adjacent to the device during factory reset mode. 2. Network Segmentation: Ensure that the network segments used for device provisioning are isolated from general user or guest networks to limit exposure to unauthorized devices or actors. 3. Controlled Setup Procedures: Conduct device provisioning in secure, controlled environments where only authorized personnel are present. Avoid performing factory resets or initial setups in publicly accessible or unsecured locations. 4. Monitoring and Logging: Implement network monitoring to detect unusual broadcasts or device discovery attempts during provisioning windows. 5. Firmware Management: Although no patch is currently available, maintain close communication with Johnson Controls for updates or firmware patches addressing this issue. Plan to apply updates promptly once released. 6. Device Inventory and Tracking: Maintain an accurate inventory of all Kantech KT1 controllers and track their provisioning status to quickly identify devices in factory reset mode. 7. Vendor Engagement: Engage with Johnson Controls to inquire about potential firmware updates or configuration options that may suppress or encrypt broadcasted information during factory reset mode. These targeted mitigations go beyond generic advice by focusing on procedural controls during the vulnerable state and network architecture adjustments to minimize exposure.