OTPulse
FeedAboutContact

Johnson Controls Metasys

Plan Patch8.1ICS-CERT ICSA-22-104-02Apr 14, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

A session token is not properly cleared when a user logs out of Johnson Controls Metasys ADS/ADX/OAS Servers. An authenticated user's session token could be reused by an attacker who obtains it, potentially allowing unauthorized access to the building automation system. The vulnerability has high attack complexity.

What this means
What could happen
An attacker who obtains a valid session token from a logged-out user could gain unauthorized access to the Metasys building automation system, potentially allowing them to view sensitive building configuration, occupancy data, or manipulate HVAC and facility controls.
Who's at risk
Building automation operators and facility managers at organizations using Johnson Controls Metasys ADS, ADX, or OAS servers for HVAC, lighting, and facility management should prioritize this update. This affects all mid-size and larger commercial buildings, data centers, hospitals, and municipal facilities that rely on Metasys for building control.
How it could be exploited
An attacker obtains a session token (via network interception, compromised workstation, or other means) and uses it to authenticate to the Metasys server after the legitimate user has logged out, since the token was not invalidated. The attack requires high technical complexity to capture and replay the token.
Prerequisites
  • Network access to the Metasys server port
  • Ability to capture or obtain a valid user session token
  • Knowledge that a user has logged out but the token remains valid
remotely exploitablerequires valid user session tokenhigh attack complexityaffects building automation and facility control systems
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
All Metasys ADS/ADX/OAS Servers:10 | 11No fix yet
Remediation & Mitigation
0/5
Do now
0/1
HARDENINGMonitor for suspicious authentication activity and ensure user logout procedures properly terminate all sessions
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Metasys ADS/ADX/OAS Servers running version 10 to patch 10.1.5 or later
HOTFIXUpdate Metasys ADS/ADX/OAS Servers running version 11 to patch 11.0.2 or later
Long-term hardening
0/2
HARDENINGImplement network segmentation to isolate Metasys servers from the Internet and business network using firewalls
HARDENINGRequire VPN for all remote access to Metasys servers and ensure VPN is updated to the latest version
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/cff880aa-4051-4d03-a248-6e0d1ef6ec63