CVE-2020-9050
📋 TL;DR
This CVE describes a path traversal vulnerability in the Metasys Reporting Engine (MRE) Web Services that allows remote unauthenticated attackers to access and download arbitrary files from the system. This affects organizations using Johnson Controls Metasys building automation systems. Attackers can potentially access sensitive configuration files, credentials, or system files without authentication.
💻 Affected Systems
- Johnson Controls Metasys Reporting Engine (MRE)
📦 What is this software?
Metasys Reporting Engine by Johnsoncontrols
Metasys Reporting Engine by Johnsoncontrols
⚠️ Risk & Real-World Impact
Worst Case
Attackers exfiltrate sensitive system files, configuration data, or credentials, leading to complete system compromise, lateral movement within the network, or exposure of building automation controls.
Likely Case
Attackers download configuration files containing system information, potentially enabling further attacks or reconnaissance of the building management infrastructure.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated systems with minimal sensitive data exposure.
🎯 Exploit Status
Path traversal vulnerabilities are typically easy to exploit with simple HTTP requests. No authentication required makes this particularly dangerous.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MRE version 10.1.5 or later
Vendor Advisory: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
Restart Required: Yes
Instructions:
1. Download MRE version 10.1.5 or later from Johnson Controls support portal. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart MRE services. 5. Verify functionality.
🔧 Temporary Workarounds
Network Segmentation
allIsolate MRE systems from untrusted networks and restrict access to authorized IP addresses only.
Web Application Firewall Rules
allImplement WAF rules to block path traversal patterns in HTTP requests.
🧯 If You Can't Patch
- Implement strict network access controls to limit MRE web services to trusted IP addresses only
- Deploy web application firewall with rules to detect and block path traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check MRE version in system settings or via vendor documentation. Versions below 10.1.5 are vulnerable.Check Version:
Check MRE version through the application interface or consult vendor documentation for version verification.Verify Fix Applied:
Verify MRE version is 10.1.5 or higher and test that path traversal attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' or similar path traversal patterns to MRE web services
- Unusual file access patterns from external IP addresses
Network Indicators:
- HTTP requests with path traversal sequences to MRE web service ports
- Unexpected file downloads from MRE systems
SIEM Query:
source="MRE_Web_Logs" AND (http_uri="*../*" OR http_uri="*..\\*" OR http_uri="*%2e%2e%2f*")