Johnson Controls has mitigations in place to handle an information exposure through an error message vulnerability in its Metasys and BCPro, according to a report with NCCIC.
Successful exploitation of this vulnerability, which is exploitable on an adjacent network, could allow an attacker to obtain technical information about the Metasys or BCPro server, allowing an attacker to target a system for attack.
Johnson Controls reports the vulnerability, discovered by Dan Regalado of Zingbox, affects the following products:
• Metasys System, Versions 8.0 and prior
• BCPro (BCM), all versions prior to 3.0.2
This vulnerability results from improper error handling in HTTP-based communications with the server, which could allow an attacker to obtain technical information.
CVE-2018-10624 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.3.
The product sees use mainly in the critical manufacturing sector. It sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the issue.
Milwaukee, WI-based Johnson Controls recommends the following mitigations:
• This issue was remediated in Metasys v8.1 (April, 2016). Users should upgrade to the latest product version (9.0). For Metasys information, contact your Metasys field service/sales representative.
• This issue was remediated in the BCPro Workstation in BCPro v3.0 (October, 2017) and mitigated for the BACnet Router and Gateway in BCPro v3.0.2 (June, 2018). Users should upgrade to the latest product versions. For more BCPro information, contact your BCPro sales and support representative.
Additional information for Johnson Controls:
• Click here for product security contact information, Building Automation System hardening, and security resources.
• Contact information: Johnson Controls Global Product Security.