Multiple vulnerabilities in Johnson Controls Metasys ADS/ADX/OAS Servers



Published: 2022-04-19 | Updated: 2022-06-15
Risk High
Patch available YES
Number of vulnerabilities 6
CVE-ID CVE-2021-36205
CVE-2021-36207
CVE-2022-21934
CVE-2022-21938
CVE-2022-21935
CVE-2022-21937
CWE-ID CWE-459
CWE-269
CWE-620
CWE-79
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Metasys ADS
Server applications / Application servers

Metasys ADX
Server applications / Application servers

Metasys Open Application Server (OAS)
Server applications / Other server solutions

Vendor Johnson Controls

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

Updated 29.04.2022

Added vulnerability #2

Updated 06.05.2022

Added vulnerability #3

Updated 15.06.2022

Added vulnerabilities #4-6

1) Incomplete cleanup

EUVDB-ID: #VU62369

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-36205

CWE-ID: CWE-459 - Incomplete cleanup

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the session token is not cleared upon log out. A remote attacker can use a session token that has not been cleared upon log out of an authenticated user.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Metasys ADS: 10 - 11

Metasys ADX: 10 - 11

Metasys Open Application Server (OAS): 10 - 11


CPE2.3 External links

http://www.cisa.gov/uscert/ics/advisories/icsa-22-104-02
http://www.johnsoncontrols.com/cyber-solutions/security-advisories

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Privilege Management

EUVDB-ID: #VU62691

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-36207

CWE-ID: CWE-269 - Improper Privilege Management

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges.

The vulnerability exists due to improper privilege management. A remote user can escalate privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Metasys ADS: 10 - 11

Metasys ADX: 10 - 11

Metasys Open Application Server (OAS): 10 - 11


CPE2.3 External links

http://ics-cert.us-cert.gov/advisories/icsa-22-118-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Unverified Password Change

EUVDB-ID: #VU62832

Risk: Medium

CVSSv3.1: 7 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21934

CWE-ID: CWE-620 - Unverified Password Change

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to unverified password change issue. A remote user on the local network can lock other users out of the system and take over accounts.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Metasys ADS: 10 - 11

Metasys ADX: 10 - 11

Metasys Open Application Server (OAS): 10 - 11


CPE2.3 External links

http://ics-cert.us-cert.gov/advisories/icsa-22-125-01
http://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2022/jci-psa-2022-09.pdf?la=en&hash=CDBC2D715E982A79F3A11C86819CF4766F047274

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Cross-site scripting

EUVDB-ID: #VU64384

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21938

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the Draft Graphics (MUI Graphics) web interfaces. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Metasys ADS: 10 - 11

Metasys ADX: 10 - 11

Metasys Open Application Server (OAS): 10 - 11


CPE2.3 External links

http://ics-cert.us-cert.gov/advisories/icsa-22-165-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Unverified Password Change

EUVDB-ID: #VU64381

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21935

CWE-ID: CWE-620 - Unverified Password Change

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to unverified password change issue. A remote attacker on the local network can guess password at a high rate.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Metasys ADS: 10 - 11

Metasys ADX: 10 - 11

Metasys Open Application Server (OAS): 10 - 11


CPE2.3 External links

http://ics-cert.us-cert.gov/advisories/icsa-22-165-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Cross-site scripting

EUVDB-ID: #VU64382

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21937

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Metasys ADS: 10 - 11

Metasys ADX: 10 - 11

Metasys Open Application Server (OAS): 10 - 11


CPE2.3 External links

http://ics-cert.us-cert.gov/advisories/icsa-22-165-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###