CVE-2022-21935
📋 TL;DR
This vulnerability in Johnson Controls Metasys building automation systems allows attackers to change passwords without verification. It affects Metasys ADS/ADX/OAS servers running vulnerable versions, potentially compromising building control systems.
💻 Affected Systems
- Metasys ADS
- Metasys ADX
- Metasys OAS
📦 What is this software?
Metasys Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Application And Data Server →
Metasys Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Application And Data Server →
Metasys Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Application And Data Server →
Metasys Extended Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Extended Application And Data Server →
Metasys Extended Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Extended Application And Data Server →
Metasys Extended Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Extended Application And Data Server →
Metasys Open Application Server by Johnsoncontrols
Metasys Open Application Server by Johnsoncontrols
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to building automation systems, enabling manipulation of HVAC, lighting, security systems, and physical access controls.
Likely Case
Unauthorized users change administrative passwords, gaining control over building systems and potentially disrupting operations.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated building automation network segments.
🎯 Exploit Status
Requires network access to Metasys server but no authentication for password change functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.1.5 for version 10, 11.0.2 for version 11
Vendor Advisory: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
Restart Required: Yes
Instructions:
1. Download patches from Johnson Controls support portal. 2. Backup system configuration. 3. Apply patch following vendor instructions. 4. Restart affected servers. 5. Verify patch installation.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Metasys systems from general corporate network and internet access
Access Control Lists
allImplement strict firewall rules limiting access to Metasys servers
🧯 If You Can't Patch
- Implement network segmentation to isolate Metasys systems
- Deploy intrusion detection systems monitoring for unauthorized password change attempts
🔍 How to Verify
Check if Vulnerable:
Check Metasys server version in system administration interfaceCheck Version:
Check via Metasys System Configuration utility or web interfaceVerify Fix Applied:
Verify version shows 10.1.5 or higher for v10, 11.0.2 or higher for v11📡 Detection & Monitoring
Log Indicators:
- Unexpected password change events in Metasys audit logs
- Authentication failures followed by password changes
Network Indicators:
- Unauthorized access attempts to Metasys password change endpoints
- Traffic to Metasys servers from unexpected sources
SIEM Query:
source="metasys" AND (event_type="password_change" OR event_type="authentication")