Johnson Controls Metasys Vulnerabilities
Low RiskICS-CERT ICSA-14-350-02Sep 18, 2014
Johnson Controls
Summary
Johnson Controls Metasys and related building automation controllers contain weak password storage and insecure file upload vulnerabilities. Affected products include Application and Data Server (ADS), Extended Application and Data Server (ADX), LonWorks Control Server (LCS8520), Network Automation Engine (NAE), Network Integration Engine (NIE), and NxE8500. These devices are commonly used in HVAC, lighting, access control, and energy management systems in commercial buildings and critical infrastructure.
What this means
What could happen
An attacker with access to configuration files or the administrative interface could extract weak passwords or upload malicious files to gain control of building systems, potentially disabling HVAC, lighting, or access controls that could affect facility operations and occupant safety.
Who's at risk
Building automation and facility management teams at hospitals, data centers, manufacturing facilities, office buildings, and other critical infrastructure that rely on Johnson Controls Metasys for HVAC, lighting, access control, and energy management. Organizations running any version of Metasys 4.1 through 6.5, or any version of ADS, ADX, LCS8520, NAE, NIE, or NxE8500 systems.
How it could be exploited
An attacker would need to obtain access to Metasys configuration files or the administrative upload interface, either by gaining network access to the ADS/ADX server or by compromising credentials. Once file upload access is obtained, malicious scripts or firmware could be uploaded to execute commands on the system or compromise connected building automation devices.
Prerequisites
- Network access to Metasys ADS/ADX web interface or file system
- Valid administrative credentials for file upload or configuration access
- Knowledge of Metasys system architecture and file structure
No patch available from vendorWeak password storage (CWE-257)Insecure file upload mechanism (CWE-434)Affects critical building systems (HVAC, access control, energy management)
Exploitability
Some exploitation risk — EPSS score 2.6%
Affected products (7)
7 EOL
ProductAffected VersionsFix Status
Metasys: >=4.1|<6.5≥ 4.1|<6.5No fix (EOL)
Application and Data Server (ADS): vers:all/*All versionsNo fix (EOL)
Extended Application and Data Server (ADX): vers:all/*All versionsNo fix (EOL)
LonWorks Control Server 85 (LCS8520): vers:all/*All versionsNo fix (EOL)
Network Automation Engine (NAE): 55xx-x_models55xx-x modelsNo fix (EOL)
Network Integration Engine (NIE): 5xxx-x_models5xxx-x modelsNo fix (EOL)
NxE8500: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDImplement file integrity monitoring (FIM) on Metasys configuration and system files to detect unauthorized modifications
HARDENINGReview and restrict administrative access to Metasys systems to the minimum necessary personnel
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
Application and Data Server (ADS): vers:all/*
HARDENINGRegularly audit and rotate administrative credentials for all Metasys components (ADS, ADX, NAE, NIE, LCS8520)
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: Metasys: >=4.1|<6.5, Application and Data Server (ADS): vers:all/*, Extended Application and Data Server (ADX): vers:all/*, LonWorks Control Server 85 (LCS8520): vers:all/*, Network Automation Engine (NAE): 55xx-x_models, Network Integration Engine (NIE): 5xxx-x_models, NxE8500: vers:all/*. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate Metasys servers from untrusted networks and restrict access to administrative interfaces to authorized engineering workstations only
HARDENINGImplement strong access controls and monitor for unauthorized file uploads or configuration changes to Metasys systems
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0ffc7d1c-cf87-4a2f-ae26-31ceb3d23befGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.