OTPulse
FeedAboutContact

Johnson Controls Metasys Reporting Engine (MRE) Web Services

Plan Patch7.5ICS-CERT ICSA-21-049-01Feb 18, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Metasys Reporting Engine versions 2.0 and 2.1 contain a path traversal vulnerability (CWE-22) in the web services interface. A remote unauthenticated attacker can exploit this flaw to access and download arbitrary files from the Metasys Reporting Engine system without providing credentials. This allows unauthorized access to potentially sensitive building automation data, configurations, and files stored on the affected device.

What this means
What could happen
An unauthenticated attacker with network access could download arbitrary files from the Metasys Reporting Engine, potentially exposing building automation configuration, credentials, or operational data stored on the system.
Who's at risk
Building automation operators and facility managers using Johnson Controls Metasys systems should be concerned. The Reporting Engine collects and stores operational data from HVAC, lighting, and other building systems. Unauthorized file access could expose system configurations, setpoints, schedules, and potentially user credentials used to manage the building automation network.
How it could be exploited
An attacker on the network reaches the MRE web services interface without authentication and requests arbitrary files through a path traversal vulnerability (CWE-22), allowing them to bypass directory restrictions and access sensitive files on the system.
Prerequisites
  • Network access to the Metasys Reporting Engine web services interface
  • No authentication credentials required
remotely exploitableno authentication requiredlow complexitypath traversal vulnerability
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Metasys Reporting Engine (MRE): v2.12.12.2 or later
Metasys Reporting Engine (MRE): v2.022.2 or later
Remediation & Mitigation
0/4
Do now
0/1
Metasys Reporting Engine (MRE): v2.1
WORKAROUNDRestrict network access to the MRE web services interface using firewall rules; allow only trusted management workstations
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Metasys Reporting Engine to v2.2 or later
Long-term hardening
0/2
HARDENINGIsolate the Metasys Reporting Engine on a separate network segment from the business network and internet
HARDENINGIf remote access is required, route connections through a VPN with current security patches
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/7985c076-9dfb-4996-a157-1ea9ef46b8a9
Johnson Controls Metasys Reporting Engine (MRE) Web Services | CVSS 7.5 - OTPulse