cnvd - cnvd-2020-16691

CNVD-2020-16691

Vulnerability from cnvd - Published: 2020-03-11

Title

Johnson Controls Metasys XML外部实体注入漏洞

Description

Johnson Controls Metasys是美国江森自控（Johnson Controls）公司的一套楼宇自控系统。该系统可通过多种开放协议或标准接口与消防、安防等弱电子系统联网，为安全访问提供系统完整性。 Johnson Controls Metasys存在XML外部实体注入漏洞，攻击者可利用该漏洞从服务器中获取ASCII文件。

Severity

高

Patch Name

Johnson Controls Metasys XML外部实体注入漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Reference

https://www.us-cert.gov/ics/advisories/icsa-20-070-05

Impacted products

Name
Johnson Controls Metasys

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-9044"
    }
  },
  "description": "Johnson Controls Metasys\u662f\u7f8e\u56fd\u6c5f\u68ee\u81ea\u63a7\uff08Johnson Controls\uff09\u516c\u53f8\u7684\u4e00\u5957\u697c\u5b87\u81ea\u63a7\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u53ef\u901a\u8fc7\u591a\u79cd\u5f00\u653e\u534f\u8bae\u6216\u6807\u51c6\u63a5\u53e3\u4e0e\u6d88\u9632\u3001\u5b89\u9632\u7b49\u5f31\u7535\u5b50\u7cfb\u7edf\u8054\u7f51\uff0c\u4e3a\u5b89\u5168\u8bbf\u95ee\u63d0\u4f9b\u7cfb\u7edf\u5b8c\u6574\u6027\u3002\n\nJohnson Controls Metasys\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ece\u670d\u52a1\u5668\u4e2d\u83b7\u53d6ASCII\u6587\u4ef6\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.johnsoncontrols.com/cyber-solutions/security-advisories",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-16691",
  "openTime": "2020-03-11",
  "patchDescription": "Johnson Controls Metasys\u662f\u7f8e\u56fd\u6c5f\u68ee\u81ea\u63a7\uff08Johnson Controls\uff09\u516c\u53f8\u7684\u4e00\u5957\u697c\u5b87\u81ea\u63a7\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u53ef\u901a\u8fc7\u591a\u79cd\u5f00\u653e\u534f\u8bae\u6216\u6807\u51c6\u63a5\u53e3\u4e0e\u6d88\u9632\u3001\u5b89\u9632\u7b49\u5f31\u7535\u5b50\u7cfb\u7edf\u8054\u7f51\uff0c\u4e3a\u5b89\u5168\u8bbf\u95ee\u63d0\u4f9b\u7cfb\u7edf\u5b8c\u6574\u6027\u3002\r\n\r\nJohnson Controls Metasys\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ece\u670d\u52a1\u5668\u4e2d\u83b7\u53d6ASCII\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Johnson Controls Metasys XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Johnson Controls Metasys"
  },
  "referenceLink": "https://www.us-cert.gov/ics/advisories/icsa-20-070-05",
  "serverity": "\u9ad8",
  "submitTime": "2020-03-11",
  "title": "Johnson Controls Metasys XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2020-9044 (GCVE-0-2020-9044)

Vulnerability from cvelistv5 – Published: 2020-03-10 19:28 – Updated: 2024-08-04 10:19

Summary

XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-611 - - Information Leak Through XML External Entity File Disclosure

Assigner

jci

References

URL

Tags

	https://www.johnsoncontrols.com/cyber-solutions/s…	x_refsource_CONFIRM
	https://www.us-cert.gov/ics/advisories/icsa-20-070-05	third-party-advisoryx_refsource_CERT

Impacted products

Vendor

Product

Version

Johnson Controls

Metasys Application and Data Server (ADS, ADS-Lite)

Affected: versions 10.1 and prior

Johnson Controls	Metasys Extended Application and Data Server (ADX)	Affected: versions 10.1 and prior
Johnson Controls	Metasys Open Data Server (ODS)	Affected: versions 10.1 and prior
Johnson Controls	Metasys Open Application Server (OAS)	Affected: version 10.1
Johnson Controls	Metasys Network Automation Engine (NAE55 only)	Affected: versions 9.0.1 Affected: 9.0.2 Affected: 9.0.3 Affected: 9.0.5 Affected: 9.0.6
Johnson Controls	Metasys Network Integration Engine (NIE55/NIE59)	Affected: versions 9.0.1 Affected: 9.0.2 Affected: 9.0.3 Affected: 9.0.5 Affected: 9.0.6
Johnson Controls	Metasys NAE85 and NIE85	Affected: versions 10.1 and prior
Johnson Controls	Metasys LonWorks Control Server (LCS)	Affected: versions 10.1 and prior
Johnson Controls	Metasys System Configuration Tool (SCT)	Affected: versions 13.2 and prior
Johnson Controls	Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed)	Affected: version 8.1

Credits

Lukasz Rupala

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T10:19:19.812Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
          },
          {
            "name": "ICS-CERT Advisory",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT",
              "x_transferred"
            ],
            "url": "https://www.us-cert.gov/ics/advisories/icsa-20-070-05"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Metasys Application and Data Server (ADS, ADS-Lite)",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "status": "affected",
              "version": "versions 10.1 and prior"
            }
          ]
        },
        {
          "product": "Metasys Extended Application and Data Server (ADX)",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "status": "affected",
              "version": "versions 10.1 and prior"
            }
          ]
        },
        {
          "product": "Metasys Open Data Server (ODS)",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "status": "affected",
              "version": "versions 10.1 and prior"
            }
          ]
        },
        {
          "product": "Metasys Open Application Server (OAS)",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "status": "affected",
              "version": "version 10.1"
            }
          ]
        },
        {
          "product": "Metasys Network Automation Engine (NAE55 only)",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "status": "affected",
              "version": "versions 9.0.1"
            },
            {
              "status": "affected",
              "version": "9.0.2"
            },
            {
              "status": "affected",
              "version": "9.0.3"
            },
            {
              "status": "affected",
              "version": "9.0.5"
            },
            {
              "status": "affected",
              "version": "9.0.6"
            }
          ]
        },
        {
          "product": "Metasys Network Integration Engine (NIE55/NIE59)",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "status": "affected",
              "version": "versions 9.0.1"
            },
            {
              "status": "affected",
              "version": "9.0.2"
            },
            {
              "status": "affected",
              "version": "9.0.3"
            },
            {
              "status": "affected",
              "version": "9.0.5"
            },
            {
              "status": "affected",
              "version": "9.0.6"
            }
          ]
        },
        {
          "product": "Metasys NAE85 and NIE85",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "status": "affected",
              "version": "versions 10.1 and prior"
            }
          ]
        },
        {
          "product": "Metasys LonWorks Control Server (LCS)",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "status": "affected",
              "version": "versions 10.1 and prior"
            }
          ]
        },
        {
          "product": "Metasys System Configuration Tool (SCT)",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "status": "affected",
              "version": "versions 13.2 and prior"
            }
          ]
        },
        {
          "product": "Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed)",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "status": "affected",
              "version": "version 8.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Lukasz Rupala"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls\u0027 Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611 - Information Leak Through XML External Entity File Disclosure ",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-10T19:28:30",
        "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
        "shortName": "jci"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
        },
        {
          "name": "ICS-CERT Advisory",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT"
          ],
          "url": "https://www.us-cert.gov/ics/advisories/icsa-20-070-05"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Johnson Controls has developed a patch to address this issue.  Customers should contact their local branch office for remediation.  "
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Metasys Improper Restriction of XML External Entity Reference",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "productsecurity@jci.com",
          "ID": "CVE-2020-9044",
          "STATE": "PUBLIC",
          "TITLE": "Metasys Improper Restriction of XML External Entity Reference"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Metasys Application and Data Server (ADS, ADS-Lite)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions 10.1 and prior"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Metasys Extended Application and Data Server (ADX)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions 10.1 and prior"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Metasys Open Data Server (ODS)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions 10.1 and prior"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Metasys Open Application Server (OAS)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "version 10.1"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Metasys Network Automation Engine (NAE55 only)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions 9.0.1"
                          },
                          {
                            "version_value": "9.0.2"
                          },
                          {
                            "version_value": "9.0.3"
                          },
                          {
                            "version_value": "9.0.5"
                          },
                          {
                            "version_value": "9.0.6"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Metasys Network Integration Engine (NIE55/NIE59)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions 9.0.1"
                          },
                          {
                            "version_value": "9.0.2"
                          },
                          {
                            "version_value": "9.0.3"
                          },
                          {
                            "version_value": "9.0.5"
                          },
                          {
                            "version_value": "9.0.6"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Metasys NAE85 and NIE85",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions 10.1 and prior"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Metasys LonWorks Control Server (LCS)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions 10.1 and prior"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Metasys System Configuration Tool (SCT)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions 13.2 and prior"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "version 8.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Johnson Controls"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Lukasz Rupala"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls\u0027 Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-611 - Information Leak Through XML External Entity File Disclosure "
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories",
              "refsource": "CONFIRM",
              "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
            },
            {
              "name": "ICS-CERT Advisory",
              "refsource": "CERT",
              "url": "https://www.us-cert.gov/ics/advisories/icsa-20-070-05"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Johnson Controls has developed a patch to address this issue.  Customers should contact their local branch office for remediation.  "
          }
        ],
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
    "assignerShortName": "jci",
    "cveId": "CVE-2020-9044",
    "datePublished": "2020-03-10T19:28:30",
    "dateReserved": "2020-02-18T00:00:00",
    "dateUpdated": "2024-08-04T10:19:19.812Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-16691

CVE-2020-9044 (GCVE-0-2020-9044)

Tags

Sightings

Nomenclature