Use of Hard-coded Cryptographic Key in Metasys System

#VU20345 Use of Hard-coded Cryptographic Key in Metasys System

Published: 2019-08-21

Vulnerability identifier: #VU20345

Vulnerability risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7594

CWE-ID: CWE-321

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Metasys System
Universal components / Libraries / Software for developers

Vendor: Johnson Controls

Description

The vulnerability allows a remote attacker to decrypt captured network traffic.

The vulnerability exists due to the ADS/ADX servers and NAE/NIE/NCE engines make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP). A remote attacker with access to the hardcoded RC2 key can decrypt captured network traffic between the Metasys ADS/ADX servers or NAE/NIE/NCE engines and the connecting SMP user client.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Metasys System: All versions

External links
http://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2019/jci-psa-2019-06-v1-metasys-icsa-19-227-01.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Johnson Controls Metasys