Johnson Controls Metasys

Plan Patch7.8ICS-CERT ICSA-23-012-06Jan 12, 2023

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Metasys ADS/ADX/OAS servers versions below 10.1.6 and 11.0.3 store credentials in plain text, making them accessible to unauthenticated users with local access. This affects Metasys building automation platforms used to manage HVAC, lighting, fire safety, and access control systems. The vulnerability requires local system access; it is not remotely exploitable.

What this means

What could happen

An attacker with local access to a Metasys server could view stored credentials in plain text, potentially gaining access to building automation systems and other networked infrastructure controlled through those credentials.

Who's at risk

Building automation and facilities managers responsible for Johnson Controls Metasys systems (ADS, ADX, or OAS servers). This affects any organization using Metasys for HVAC, lighting, access control, or other building management functions where those credentials provide administrative access.

How it could be exploited

An attacker with physical or local network access to a Metasys ADS/ADX/OAS server can read credential files from the system without authentication. The attacker would need to interact with the local file system or user interface where credentials are stored unencrypted.

Prerequisites

Local or physical access to the Metasys server
No elevated credentials required
Ability to access file storage or configuration interfaces on the server

Stored credentials in plain textLow complexity to exploit locallyNo authentication required for local accessNo patch available for older versions

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Metasys ADS/ADX/OAS Servers: Metasys ADS/ADX/OAS< 10.1.610.1.6 or later (for Version 10.X)

Metasys ADS/ADX/OAS Servers: Metasys ADS/ADX/OAS< 11.0.310.1.6 or later (for Version 10.X)

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGLimit who can access the server console and restrict access to local file systems and configuration interfaces

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Metasys ADS/ADX/OAS Version 10.X systems to patch 10.1.6

HOTFIXUpdate Metasys ADS/ADX/OAS Version 11.X systems to patch 11.0.3

Long-term hardening

0/2

HARDENINGRestrict physical and local network access to Metasys servers; isolate servers behind firewalls and from business networks

HARDENINGMonitor access logs for unauthorized attempts to view or extract configuration files from Metasys servers

CVEs (1)

CVE-2021-36204

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/011a5d41-1c60-4185-9fd2-140988f65922