Johnson Controls Fixes Metasys Holes

Wednesday, March 18, 2015 @ 03:03 PM gHale

Johnson Controls created patches for two vulnerabilities in its Metasys building management system, according to a report on ICS-CERT.

These vulnerabilities, discovered by independent security researcher Billy Rios, are remotely exploitable.

Honeywell Updates Web Controller Hole
XZERES Fixes Wind Turbine Vulnerability
Schneider Mitigates Buffer Overflow
Cimon Fixes DLL Hijacking Vulnerability

The following Johnson Controls products, using Metasys Releases 4.1 to 6.5, suffer from the issue:
• Application and Data Server (ADS)
• Extended Application and Data Server (ADX)
• LonWorks Control Server 85 (LCS8520)
• Network Automation Engine (NAE) 55xx-x models
• Network Integration Engine (NIE) 5xxx-x models
• NxE8500

The impact of these vulnerabilities could allow an unauthenticated remote attacker to compromise the confidentiality, integrity, and availability of a Metasys system.

Johnson Controls is a U.S.-based company that maintains offices in several countries around the world, including the U.S., UK, Netherlands, Italy, India, Germany, France, Czech Republic, China, and Australia.

Metasys systems provide traditional building control capabilities with built-in integration to web based architecture and wireless technologies. Metasys systems end up deployed across several sectors including commercial facilities and government facilities. Johnson Controls said these products see use worldwide.

A remote attacker may be able to retrieve the password hash for an authorized Metasys user with an unauthenticated post request. Retrieved encrypted passwords could end up used by a remote attacker to compromise the Metasys system.

CVE-2014-5427 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

The Metasys system makes web services available to unauthenticated remote users that could allow an attacker to upload and execute a shell script to an arbitrary location on the Metasys system, resulting in the compromise of the system.

CVE-2014-5428 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

No known public exploits specifically target these vulnerabilities. An attacker with a low skill would be able to exploit these vulnerabilities.

Johnson Controls developed patches for all affected Metasys releases (4.1, 5.x, and 6.x). Metasys releases prior to Release 4.1 do not have the problem. Metasys products NxE25/35/45 also do not suffer from these vulnerabilities.

The product patches, along with installation instructions, can end up obtained from any local Johnson Controls branch office or Metasys Authorized Building Control Specialists. Johnson Controls recommends that asset owners and operators adhere to IT best practices and guidelines described in the following Metasys installation documents to further reduce the risk associated with these vulnerabilities:
• Network and IT Guidance for the IT Professional Technical Bulletin (LIT-1201578).
• Network and IT Guidance for the BAS Professional Technical Bulletin (LIT-12011279).

Leave a Reply

You must be logged in to post a comment.