Johnson Controls Metasys and BCPro

MonitorCVSS 4.3ICS-CERT ICSA-18-212-02Jul 31, 2018

Johnson Controls

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Johnson Controls Metasys and BCPro systems contain an information disclosure vulnerability (CWE-209) that allows an attacker on the local network to obtain technical information about the server, such as software version or configuration details. This information could be used for reconnaissance to plan more targeted attacks. The vulnerability affects Metasys versions 8.0 and earlier, and BCPro versions earlier than 3.0 (Workstation) or 3.0.2 (BACnet Router/Gateway). No known public exploits exist for this vulnerability.

What this means

What could happen

An attacker on your local network could gather technical details about your Metasys or BCPro server (such as software version or configuration), which would help them plan more targeted attacks against your building automation system.

Who's at risk

Building automation system operators using Johnson Controls Metasys or BCPro systems for facility climate control, lighting, and equipment management. This affects any organization managing HVAC, chiller plants, or other building mechanical systems through these platforms.

How it could be exploited

An attacker with network access to your Metasys or BCPro server can send specially crafted requests to extract technical information (CWE-209: Information Exposure through an Error Message). This reconnaissance helps the attacker understand the system and identify other vulnerabilities to exploit.

Prerequisites

Local network access to Metasys or BCPro server
No authentication required
No special configuration required

low CVSS score (4.3)information disclosure onlylocal network access requiredno active exploitation reported

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

1 with fix1 pending

ProductAffected VersionsFix Status

BCPro (BCM): all< 3.0.2No fix yet

Metasys System:≤ 8.09.0 (minimum 8.1 remediated in April 2016)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to Metasys and BCPro servers to only authorized engineering workstations and authorized management networks

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Metasys to version 9.0 or later

HOTFIXUpgrade BCPro Workstation to version 3.0 or later

HOTFIXUpgrade BCPro BACnet Router and Gateway to version 3.0.2 or later

Long-term hardening

0/1

HARDENINGIsolate Metasys and BCPro systems behind firewalls; ensure they are not directly accessible from the Internet or business network

CVEs (1)

CVE-2018-10624

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f7fa73af-03e1-4904-acfe-1288bc411ba7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.