#VU20345 Use of Hard-coded Cryptographic Key in Metasys System - CVE-2019-7594

Cybersecurity Help s.r.o.

Published: 2019-08-21

Vulnerability identifier: #VU20345

Vulnerability risk: Medium

CVSSv4.0: 4.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-7594

CWE-ID: CWE-321

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Metasys System
Universal components / Libraries / Software for developers

Vendor: Johnson Controls

Description

The vulnerability allows a remote attacker to decrypt captured network traffic.

The vulnerability exists due to the ADS/ADX servers and NAE/NIE/NCE engines make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP). A remote attacker with access to the hardcoded RC2 key can decrypt captured network traffic between the Metasys ADS/ADX servers or NAE/NIE/NCE engines and the connecting SMP user client.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Metasys System: before 9.0

External links
https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2019/jci-psa-2019-06-v1-metasys-icsa-19-227-01.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Johnson Controls Metasys