CVE-2021-36205
π TL;DR
CVE-2021-36205 is an authentication bypass vulnerability in Johnson Controls Metasys products where session tokens are not properly cleared on logout. This allows attackers to reuse valid session tokens to gain unauthorized access to building management systems. Affected organizations include those using Johnson Controls Metasys for building automation and control.
π» Affected Systems
- Johnson Controls Metasys
- Johnson Controls Cβ’CURE 9000
- Johnson Controls Facility Explorer
π¦ What is this software?
Metasys Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Application And Data Server β
Metasys Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Application And Data Server β
Metasys Extended Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Extended Application And Data Server β
Metasys Extended Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Extended Application And Data Server β
Metasys Open Application Server by Johnsoncontrols
β οΈ Risk & Real-World Impact
Worst Case
Attackers gain persistent administrative access to building management systems, enabling physical security bypass, environmental manipulation, and disruption of critical infrastructure operations.
Likely Case
Unauthorized users access building control interfaces to modify temperature settings, lighting, access controls, or view sensitive system information.
If Mitigated
Limited impact with proper network segmentation, monitoring, and compensating controls preventing token reuse from being useful.
π― Exploit Status
Exploitation requires obtaining a valid session token through legitimate login or other means, then reusing it after logout.
π οΈ Fix & Mitigation
β Official Fix
Patch Version: Multiple version-specific patches - refer to Johnson Controls security advisories
Vendor Advisory: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
Restart Required: Yes
Instructions:
1. Review Johnson Controls security advisory ICSA-22-104-02. 2. Identify affected product versions. 3. Apply vendor-provided patches. 4. Restart affected services/systems. 5. Verify session token clearing functionality.
π§ Temporary Workarounds
Session Timeout Reduction
allReduce session timeout values to limit window for token reuse
Configure in Metasys application settings - refer to product documentation
Network Segmentation
allIsolate building management systems from general corporate networks
Implement firewall rules to restrict access to Metasys interfaces
π§― If You Can't Patch
- Implement strict network access controls to limit who can reach the affected systems
- Enable detailed logging and monitoring for unusual session activity and token reuse patterns
π How to Verify
Check if Vulnerable:
Test logout functionality: 1. Log into system. 2. Capture session token. 3. Log out. 4. Attempt to reuse same token in API/web requests. If successful, system is vulnerable.Check Version:
Check Metasys/Cβ’CURE version through application interface or consult system documentationVerify Fix Applied:
Repeat vulnerability test - after logout, session tokens should be invalidated and not reusable.π‘ Detection & Monitoring
Log Indicators:
- Multiple successful logins from same token after logout events
- Session tokens being used from unexpected IP addresses after logout
Network Indicators:
- API/web requests with previously used session tokens
- Unusual authentication patterns to building management endpoints
SIEM Query:
source="metasys" AND (event="logout" OR event="session_end") FOLLOWED BY source="metasys" AND event="api_request" WITH SAME session_id