CVE-2024-32757
📋 TL;DR
CVE-2024-32757 is an information disclosure vulnerability in Johnson Controls Metasys products where system logs inadvertently contain sensitive user details under certain conditions. This affects organizations using vulnerable versions of Metasys building automation systems. Attackers with access to system logs could harvest credentials or personal information.
💻 Affected Systems
- Johnson Controls Metasys
- Metasys Extended Application
- Metasys Site Management Portal
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain administrative credentials from logs, leading to full system compromise, data theft, or physical building control manipulation.
Likely Case
Unauthorized users access logs containing usernames, email addresses, or other identifiable information that could facilitate social engineering or credential stuffing attacks.
If Mitigated
With proper log access controls and monitoring, impact is limited to minimal information leakage with no operational disruption.
🎯 Exploit Status
Exploitation requires existing access to system logs through other means (compromised account, misconfigured permissions, or secondary vulnerability).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Johnson Controls security advisory for specific patched versions
Vendor Advisory: https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
Restart Required: Yes
Instructions:
1. Review Johnson Controls advisory ICSA-24-179-06. 2. Identify affected Metasys components. 3. Apply vendor-provided patches. 4. Restart affected services/systems. 5. Verify logging no longer contains sensitive user details.
🔧 Temporary Workarounds
Restrict Log Access
linuxImplement strict access controls on system log directories and files to prevent unauthorized reading.
chmod 640 /var/log/metasys/*.log
setfacl -m u:metasys:r-x /var/log/metasys/
Log Redaction
allConfigure logging to exclude sensitive user fields or implement log filtering/redaction tools.
🧯 If You Can't Patch
- Implement strict access controls on all log storage locations and monitoring systems
- Deploy log monitoring to detect unauthorized access attempts to system logs
🔍 How to Verify
Check if Vulnerable:
Review system logs for presence of user credentials, email addresses, or other sensitive information that should not be logged.Check Version:
Check Metasys application version through administrative interface or consult system documentationVerify Fix Applied:
After patching, verify logs no longer contain sensitive user details and test logging functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to log files
- Log entries containing user credentials or PII
- Failed authentication attempts followed by log access
Network Indicators:
- Unexpected connections to log management interfaces
- Traffic to log storage locations from unauthorized sources
SIEM Query:
source="metasys_logs" AND (user_credential OR email_address OR password) NOT action="redacted"