OTPulse
FeedAboutContact

Johnson Controls Metasys and BCPro

Monitor4.3ICS-CERT ICSA-18-212-02Jul 31, 2018
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Johnson Controls Metasys and BCPro systems contain an information disclosure vulnerability (CWE-209) that allows an attacker on the local network to obtain technical information about the server, such as software version or configuration details. This information could be used for reconnaissance to plan more targeted attacks. The vulnerability affects Metasys versions 8.0 and earlier, and BCPro versions earlier than 3.0 (Workstation) or 3.0.2 (BACnet Router/Gateway). No known public exploits exist for this vulnerability.

What this means
What could happen
An attacker on your local network could gather technical details about your Metasys or BCPro server (such as software version or configuration), which would help them plan more targeted attacks against your building automation system.
Who's at risk
Building automation system operators using Johnson Controls Metasys or BCPro systems for facility climate control, lighting, and equipment management. This affects any organization managing HVAC, chiller plants, or other building mechanical systems through these platforms.
How it could be exploited
An attacker with network access to your Metasys or BCPro server can send specially crafted requests to extract technical information (CWE-209: Information Exposure through an Error Message). This reconnaissance helps the attacker understand the system and identify other vulnerabilities to exploit.
Prerequisites
  • Local network access to Metasys or BCPro server
  • No authentication required
  • No special configuration required
low CVSS score (4.3)information disclosure onlylocal network access requiredno active exploitation reported
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
1 with fix1 pending
ProductAffected VersionsFix Status
BCPro (BCM): all< 3.0.2No fix yet
Metasys System:≤ 8.09.0 (minimum 8.1 remediated in April 2016)
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDRestrict network access to Metasys and BCPro servers to only authorized engineering workstations and authorized management networks
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Metasys to version 9.0 or later
HOTFIXUpgrade BCPro Workstation to version 3.0 or later
HOTFIXUpgrade BCPro BACnet Router and Gateway to version 3.0.2 or later
Long-term hardening
0/1
HARDENINGIsolate Metasys and BCPro systems behind firewalls; ensure they are not directly accessible from the Internet or business network
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/f7fa73af-03e1-4904-acfe-1288bc411ba7
Johnson Controls Metasys and BCPro | CVSS 4.3 - OTPulse