Johnson Controls Metasys
Monitor7.5ICS-CERT ICSA-20-070-05Mar 10, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
An XML external entity (XXE) injection vulnerability exists in Johnson Controls Metasys building automation servers. The vulnerability allows an attacker to send a specially crafted XML request to the server, which can result in denial-of-service attacks by consuming server resources or unauthorized disclosure of sensitive system configuration and operational data. The vulnerability affects multiple Metasys components including LonWorks Control Servers, Open Application Servers, Network Automation Engines, Network Integration Engines, Extended Application and Data Servers, Application and Data Servers, Open Data Servers, and the System Configuration Tool.
What this means
What could happen
An attacker could cause a denial-of-service attack on critical building automation systems like fire suppression, HVAC, or lighting control, or gain access to sensitive system configuration and operational data stored on affected Metasys servers.
Who's at risk
Building automation and environmental control system operators, particularly those running Johnson Controls Metasys systems for fire suppression, smoke control, HVAC, lighting, and other critical building infrastructure. This affects all sites using LonWorks Control Servers, Open Application Servers, Network Automation Engines, Network Integration Engines, Extended Application and Data Servers, or System Configuration Tools on the listed versions.
How it could be exploited
An attacker with network access to an affected Metasys server could send a malicious XML request that exploits the XML external entity (XXE) vulnerability to either consume server resources and cause a denial-of-service condition, or read sensitive files and configuration data from the server.
Prerequisites
- Network reachability to the vulnerable Metasys server on the port it listens on
- No authentication required
remotely exploitableno authentication requiredlow complexityno patch availableaffects safety systems
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (10)
2 pending8 EOL
ProductAffected VersionsFix Status
Smoke Control Network Automation Engine (NAE55 UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed): Release 8.18.1No fix yet
LonWorks Control Server (LCS): Release 10.1 and prior≤ 10.1No fix (EOL)
Open Application Server (OAS): Release 10.110.1No fix (EOL)
Extended Application and Data Server (ADX): Release 10.1 and prior≤ 10.1No fix (EOL)
NAE85 and NIE85: Release 10.1 and prior≤ 10.1No fix (EOL)
Application and Data Server (ADS ADS-Lite): Release 10.1 and prior≤ 10.1No fix (EOL)
Network Automation Engine (NAE55 only): Releases 9.0.1 9.0.2 9.0.3 9.0.5 9.0.69.0.1 | 9.0.2 | 9.0.3 | 9.0.5 | 9.0.6No fix yet
Open Data Server (ODS): Release 10.1 and prior≤ 10.1No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1HARDENINGRestrict network access to Metasys servers to only authorized administrative workstations and networks using firewall rules or network segmentation
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXContact Johnson Controls support or a branch office for remediation and patching guidance, as indicated in JCI-PSA-2020-3 v1
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: LonWorks Control Server (LCS): Release 10.1 and prior, Open Application Server (OAS): Release 10.1, Extended Application and Data Server (ADX): Release 10.1 and prior, NAE85 and NIE85: Release 10.1 and prior, Application and Data Server (ADS ADS-Lite): Release 10.1 and prior, Open Data Server (ODS): Release 10.1 and prior, Network Integration Engine (NIE55/NIE59): Releases 9.0.1 9.0.2 9.0.3 9.0.5 9.0.6, System Configuration Tool (SCT): Release 13.2 and prior. Apply the following compensating controls:
HARDENINGIsolate affected Metasys components on a dedicated building automation network segment separate from corporate IT networks
HARDENINGImplement continuous monitoring and logging of network traffic to and from Metasys servers to detect suspicious XML-based requests
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/1c5fb042-1be5-49ef-bd9f-73b495bbc1e5