OTPulse
FeedAboutContact

Johnson Controls Metasys

Plan Patch8.8ICS-CERT ICSA-21-159-01Jun 8, 2021
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in Johnson Controls Metasys allows authenticated users to bypass file system access controls by sending specially crafted web messages. An attacker with valid Metasys credentials can read or modify system files that should be restricted, potentially affecting building automation functions. The vulnerability affects all versions of Metasys. Johnson Controls recommends users upgrade to version 9.0 or later, and users on versions 9.0 (engine), 10.0, 10.1, or 11.0 should install the available security patch. No public exploits are currently known.

What this means
What could happen
An authenticated Metasys user could gain unauthorized access to the underlying server's file system, allowing them to read or modify system files that control building automation functions and potentially disrupt HVAC, lighting, or security operations.
Who's at risk
Building automation operators and facility managers who rely on Johnson Controls Metasys for managing HVAC, lighting, fire safety, or security systems. This affects all versions of Metasys, with particular concern for organizations running versions before 9.0 or any currently supported version that has not yet received the security patch.
How it could be exploited
An attacker with valid Metasys credentials sends a specially crafted web message to the Metasys server that exploits improper access controls. The server processes the request and allows the attacker to traverse the file system beyond their intended permissions, accessing sensitive system files that should be restricted.
Prerequisites
  • Valid Metasys user account credentials
  • Network access to the Metasys web interface (typically port 80/443)
  • Knowledge of crafted message format to trigger the vulnerability
Requires valid credentials (low barrier for insiders or compromised accounts)Remotely exploitableLow attack complexityNo patch available for all versions (all versions listed as no fix)Affects facility automation and safety systemsCan lead to unauthorized file modification
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
Metasys: All versionsAll versions9.0 or later (with patch for versions 9.0 engine, 10.0, 10.1, 11.0)
Remediation & Mitigation
0/8
Do now
0/3
HARDENINGAudit all active and dormant user accounts and remove any that are no longer needed or whose users have left the organization
HARDENINGDelete user accounts for employees who have left or been reassigned and no longer require Metasys access
HARDENINGEnable and regularly monitor Metasys audit logs and Cyber Health Dashboard (Release 10.1 or later) for suspicious user activity
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXFor Metasys versions earlier than 9.0, upgrade to a supported release (9.0 or later)
HOTFIXFor Metasys version 9.0 (engine), 10.0, 10.1, or 11.0, install the security patch from Johnson Controls
Long-term hardening
0/3
HARDENINGEnforce mandatory password changes across all Metasys user accounts on a regular schedule
HARDENINGRestrict network access to the Metasys server from the business network and Internet; place behind a firewall
HARDENINGIf remote access is required, use a VPN and keep it updated to the latest version
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/6d27e556-1545-4767-b089-8ec2bbf762d8
Johnson Controls Metasys | CVSS 8.8 - OTPulse