Johnson Controls Metasys

MonitorCVSS 7.5ICS-CERT ICSA-20-070-05Mar 10, 2020

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An XML external entity (XXE) injection vulnerability exists in Johnson Controls Metasys building automation servers. The vulnerability allows an attacker to send a specially crafted XML request to the server, which can result in denial-of-service attacks by consuming server resources or unauthorized disclosure of sensitive system configuration and operational data. The vulnerability affects multiple Metasys components including LonWorks Control Servers, Open Application Servers, Network Automation Engines, Network Integration Engines, Extended Application and Data Servers, Application and Data Servers, Open Data Servers, and the System Configuration Tool.

What this means

What could happen

An attacker could cause a denial-of-service attack on critical building automation systems like fire suppression, HVAC, or lighting control, or gain access to sensitive system configuration and operational data stored on affected Metasys servers.

Who's at risk

Building automation and environmental control system operators, particularly those running Johnson Controls Metasys systems for fire suppression, smoke control, HVAC, lighting, and other critical building infrastructure. This affects all sites using LonWorks Control Servers, Open Application Servers, Network Automation Engines, Network Integration Engines, Extended Application and Data Servers, or System Configuration Tools on the listed versions.

How it could be exploited

An attacker with network access to an affected Metasys server could send a malicious XML request that exploits the XML external entity (XXE) vulnerability to either consume server resources and cause a denial-of-service condition, or read sensitive files and configuration data from the server.

Prerequisites

Network reachability to the vulnerable Metasys server on the port it listens on
No authentication required

remotely exploitableno authentication requiredlow complexityno patch availableaffects safety systems

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (10)

2 pending8 EOL

ProductAffected VersionsFix Status

Smoke Control Network Automation Engine (NAE55 UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed): Release 8.18.1No fix yet

LonWorks Control Server (LCS): Release 10.1 and prior≤ 10.1No fix (EOL)

Open Application Server (OAS): Release 10.110.1No fix (EOL)

Extended Application and Data Server (ADX): Release 10.1 and prior≤ 10.1No fix (EOL)

NAE85 and NIE85: Release 10.1 and prior≤ 10.1No fix (EOL)

Application and Data Server (ADS ADS-Lite): Release 10.1 and prior≤ 10.1No fix (EOL)

Network Automation Engine (NAE55 only): Releases 9.0.1 9.0.2 9.0.3 9.0.5 9.0.69.0.1 | 9.0.2 | 9.0.3 | 9.0.5 | 9.0.6No fix yet

Open Data Server (ODS): Release 10.1 and prior≤ 10.1No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict network access to Metasys servers to only authorized administrative workstations and networks using firewall rules or network segmentation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Johnson Controls support or a branch office for remediation and patching guidance, as indicated in JCI-PSA-2020-3 v1

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: LonWorks Control Server (LCS): Release 10.1 and prior, Open Application Server (OAS): Release 10.1, Extended Application and Data Server (ADX): Release 10.1 and prior, NAE85 and NIE85: Release 10.1 and prior, Application and Data Server (ADS ADS-Lite): Release 10.1 and prior, Open Data Server (ODS): Release 10.1 and prior, Network Integration Engine (NIE55/NIE59): Releases 9.0.1 9.0.2 9.0.3 9.0.5 9.0.6, System Configuration Tool (SCT): Release 13.2 and prior. Apply the following compensating controls:

HARDENINGIsolate affected Metasys components on a dedicated building automation network segment separate from corporate IT networks

HARDENINGImplement continuous monitoring and logging of network traffic to and from Metasys servers to detect suspicious XML-based requests

CVEs (1)

CVE-2020-9044

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1c5fb042-1be5-49ef-bd9f-73b495bbc1e5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.