CVE-2022-21934 – This vulnerability in Metasys building automati... (How to Fix)

Q: What is the severity of CVE-2022-21934?

CVE-2022-21934 has a CVSS score of 8.0 (HIGH). This vulnerability in Metasys building automation servers allows authenticated users to lock out other users or take over their accounts. It affects Metasys ADS/ADX/OAS servers version 10 before 10.1.5 and version 11 before 11.0.2. Attackers need valid credentials to exploit this authentication flaw.

📋 TL;DR

This vulnerability in Metasys building automation servers allows authenticated users to lock out other users or take over their accounts. It affects Metasys ADS/ADX/OAS servers version 10 before 10.1.5 and version 11 before 11.0.2. Attackers need valid credentials to exploit this authentication flaw.

💻 Affected Systems

Products:

Metasys ADS Server
Metasys ADX Server
Metasys OAS Server

Versions: Version 10 prior to 10.1.5, Version 11 prior to 11.0.2

Operating Systems: Windows Server (typically)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all configurations of vulnerable versions. Authentication required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with valid credentials could take over administrative accounts, disrupt building operations, and potentially gain control of critical building systems.

🟠

Likely Case

Malicious insiders or compromised accounts could lock legitimate users out of the system, causing operational disruption and requiring manual account recovery.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to temporary account lockouts that can be quickly remediated by administrators.

🌐 Internet-Facing: MEDIUM - While authentication is required, exposed systems could be targeted by attackers with stolen credentials.

🏢 Internal Only: HIGH - Insider threats or compromised internal accounts pose significant risk to building operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access but likely simple to exploit once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 10.1.5 or later for v10, Version 11.0.2 or later for v11

Vendor Advisory: https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Restart Required: Yes

Instructions:

1. Download patches from Johnson Controls support portal. 2. Backup system configuration. 3. Apply patch following vendor instructions. 4. Restart affected servers. 5. Verify patch installation and functionality.

🔧 Temporary Workarounds

Restrict User Account Access

all

Limit user permissions to minimum required and implement strict access controls

Implement Account Lockout Policies

windows

Configure account lockout after failed attempts to prevent brute force attacks

🧯 If You Can't Patch

Isolate vulnerable systems from untrusted networks and implement strict network segmentation
Implement multi-factor authentication and monitor for suspicious account activity

🔍 How to Verify

Check if Vulnerable:

Check server version in Metasys System Configuration or About dialog. Compare against vulnerable versions.

Check Version:

Check via Metasys UI or consult system documentation for version verification commands

Verify Fix Applied:

Verify version shows 10.1.5 or higher for v10, or 11.0.2 or higher for v11. Test user account functionality.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful login
Unusual account lockout events
User account modifications from unexpected sources

Network Indicators:

Authentication traffic patterns showing account takeover attempts
Unusual administrative access from non-standard locations

SIEM Query:

source="metasys" AND (event_type="account_lockout" OR event_type="user_modify") AND user!="admin"

📊 Metadata

CVE ID: CVE-2022-21934

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-620

Published: May 6, 2022

Last Updated: November 21, 2024

🔗 References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-125-01 Mitigation,Third Party Advisory,US Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisories Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-125-01 Mitigation,Third Party Advisory,US Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisories Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21934, you might also want to check these: