SB2022041903 - Multiple vulnerabilities in Johnson Controls Metasys ADS/ADX/OAS Servers

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Incomplete cleanup (CVE-ID: CVE-2021-36205)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the session token is not cleared upon log out. A remote attacker can use a session token that has not been cleared upon log out of an authenticated user.

2) Improper Privilege Management (CVE-ID: CVE-2021-36207)

The vulnerability allows a remote attacker to escalate privileges.

The vulnerability exists due to improper privilege management. A remote user can escalate privileges.

3) Unverified Password Change (CVE-ID: CVE-2022-21934)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to unverified password change issue. A remote user on the local network can lock other users out of the system and take over accounts.

4) Cross-site scripting (CVE-ID: CVE-2022-21938)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the Draft Graphics (MUI Graphics) web interfaces. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

5) Unverified Password Change (CVE-ID: CVE-2022-21935)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to unverified password change issue. A remote attacker on the local network can guess password at a high rate.

6) Cross-site scripting (CVE-ID: CVE-2022-21937)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• https://www.cisa.gov/uscert/ics/advisories/icsa-22-104-02
• https://www.johnsoncontrols.com/cyber-solutions/security-advisories
• https://ics-cert.us-cert.gov/advisories/icsa-22-118-01
• https://ics-cert.us-cert.gov/advisories/icsa-22-125-01
• https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2022/jci-psa-2022-09.pdf?la=en&hash=CDBC2D715E982A79F3A11C86819CF4766F047274
• https://ics-cert.us-cert.gov/advisories/icsa-22-165-01