Johnson Controls Metasys

Monitor6.8ICS-CERT ICSA-19-227-01Aug 15, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Johnson Controls Metasys system versions prior to 9.0 contain cryptographic weaknesses (improper use of cryptographic keys and inadequate cryptographic key restrictions) that allow an attacker who captures network traffic to decrypt sensitive communications. The vulnerabilities stem from weak or hardcoded encryption keys used to protect communication between Metasys components. No known public exploits exist, and exploitation requires high technical skill and the ability to capture and analyze network traffic. The advisory does not indicate these vulnerabilities are actively exploited in the wild.

What this means

What could happen

An attacker who captures Metasys network traffic can decrypt it to obtain sensitive system information and credentials, compromising the confidentiality of control system communications.

Who's at risk

Transportation operators and facility managers running Johnson Controls Metasys building management and control systems, particularly those with versions prior to 9.0 managing critical infrastructure like airport, rail, or transit facility operations.

How it could be exploited

An attacker must first capture network traffic between Metasys components (likely by gaining access to the network segment where the system operates), then use weak or hardcoded cryptographic keys (CWE-323, CWE-321) to decrypt the captured traffic offline. This requires network access and cryptanalysis capability but no real-time interaction with the system.

Prerequisites

Network access to capture Metasys traffic (man-in-the-middle position or network tap)
Sufficient time and resources to perform cryptanalysis on captured packets
Metasys version prior to 9.0
System not using trusted certificates for encryption

remotely exploitableno patch available for legacy versionsweak cryptographic implementationhigh skill level required for exploitation

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Metasys system:< 9.09.0 or later

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Metasys to version 9.0 or later

HARDENINGConfigure all Metasys sites with trusted certificates for encrypted communications

Long-term hardening

0/2

HARDENINGIsolate Metasys network from Internet and business network using firewalls and network segmentation

HARDENINGImplement network monitoring and access controls to detect unauthorized traffic capture attempts

CVEs (2)

CVE-2019-7593 CVE-2019-7594

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/82835da7-6346-4f27-ad8c-fdf6ab1ba154