CVE-2021-36207
📋 TL;DR
CVE-2021-36207 is a privilege escalation vulnerability in Johnson Controls Metasys ADS/ADX/OAS servers that allows authenticated users to elevate their privileges to administrator level. This affects building automation systems running Metasys versions 10 and 11. The vulnerability stems from improper privilege management under certain circumstances.
💻 Affected Systems
- Metasys ADS Server
- Metasys ADX Server
- Metasys OAS Server
📦 What is this software?
Metasys Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Application And Data Server →
Metasys Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Application And Data Server →
Metasys Extended Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Extended Application And Data Server →
Metasys Extended Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Extended Application And Data Server →
Metasys Open Application Server by Johnsoncontrols
⚠️ Risk & Real-World Impact
Worst Case
An attacker with authenticated access could gain full administrative control over building automation systems, potentially manipulating HVAC, lighting, security systems, and accessing sensitive operational data.
Likely Case
Malicious insiders or compromised accounts could escalate privileges to modify system configurations, disrupt building operations, or establish persistence for further attacks.
If Mitigated
With proper network segmentation, strong authentication, and monitoring, impact would be limited to isolated systems with quick detection and response.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 11.0.2 and later
Vendor Advisory: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
Restart Required: Yes
Instructions:
1. Download patch from Johnson Controls support portal. 2. Backup system configuration. 3. Apply patch following vendor instructions. 4. Restart affected servers. 5. Verify patch installation.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Metasys servers from general network access and restrict to necessary connections only.
Access Control Enhancement
allImplement strict role-based access control and monitor for privilege escalation attempts.
🧯 If You Can't Patch
- Implement network segmentation to isolate Metasys servers from untrusted networks
- Enhance monitoring for privilege escalation attempts and unusual administrative activity
🔍 How to Verify
Check if Vulnerable:
Check Metasys server version in system administration interface or via vendor-provided tools.Check Version:
Check via Metasys System Configuration Tool or vendor documentation.Verify Fix Applied:
Verify version is 11.0.2 or later and test privilege escalation attempts fail.📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege changes
- Multiple failed then successful authentication attempts
- Administrative actions from non-admin accounts
Network Indicators:
- Unusual authentication traffic patterns
- Administrative protocol usage from unexpected sources
SIEM Query:
source="metasys" AND (event_type="privilege_change" OR user_role="admin" AND user_group!="administrators")