Advisory: Johnson Controls Metasys ADS/ADX/OAS (Versions 10 and 11)

Advisory
Written By Clandestine Labs

Summary

A Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys ADS/ADX/OAS (versions 10 and 11) allows authenticated attackers to inject malicious code into the MUI PDF export feature before being parsed by the server, allowing the attacker to forge requests to internal systems and retrieve the response by downloading the resulting PDF.

This allows the authenticated attacker to both scan and gain access to internal servers, resulting in a disclosure of potentially sensitive information as well as a potential compromise of internal systems through second-order requests.

This vulnerability was discovered during an assessment of a Synack Red Team customer. Vulnerability disclosure was coordinated through Synack in order to ensure the full protection of customer privacy.

Vendor

Johnson Controls Inc.

Affected Version(s)

  • Metasys ADS/ADX/OAS 10 < 10.1.5

  • Metasys ADS/ADX/OAS 11 < 11.0.2

Risk Assessment

Clandestine Labs assesses that this vulnerability could be used to forge requests to internal systems. This could in-turn allow an attacker to both gain access to sensitive information on internal web servers as well as gain a foothold into the internal network through exploitation of said internal systems by using the forged web requests.

Mitigation

Johnson Controls has suggested the following mitigations for this vulnerability:

  • Update all Metasys ADS/ADX/OAS 10 versions with patch 10.1.5.

  • Update all Metasys ADS/ADX/OAS 11 versions with patch 11.0.2.

Vulnerability Details

The Johnson Controls Metasys Application and Data Server/Extended Application and Data Server (ADS/ADX) is an optional building automation component that manages the collection of large amounts of trend data, event messages, operator transactions, and system configuration data. It also provides site unification, advanced reporting, a simple and intuitive user interface, and a hierarchical network view of the entire system for all connected devices. According to Johnson Controls, this allows for efficient control of energy usage, quick response to critical conditions, and optimization of automation strategies.

Logging into the application provides a first look at the Metasys User Interface (MUI). This UI allows Metasys system designers to create, edit, and manage graphics. In the top right corner of the Graphics pane, an Export PDF function is available for exporting the created graphics to a PDF file. You can see the Export PDF feature circled in red in the below image.

By using a web proxy such as Burp, the request that controls the PDF export can be intercepted as shown below (various data has been redacted to ensure client privacy):

The request above can be modified by an authenticated user to inject arbitrary HTML into the resulting PDF as shown below. This is inherently dangerous because the action of converting HTML is conducted server-side. In this case our researcher injected an iframe into the Data parameter of the request body, forcing the iframe to be rendered by the server before converting the graphic into PDF format.

As you can see below, the injection of a malicious iframe can allow the attacker to forge requests to internal web servers. If the attacker wishes to view the response, they simply needed to open the resulting PDF file that is generated.

Due to the ease of exploitability of this vulnerability, we recommend following the guidance provided in Johnson Controls Product Security Advisory JCI-PSA-2022-02 v1 and CISA ICSA-22-095-02. See the reference section below for more information.

Credits

Tony West, Founder & Lead Researcher at Clandestine Labs

Disclosure Timeline

June 5, 2021 - Discovered the vulnerability and reported to the affected organization.

June 5, 2021 - Contacted the vendor to report the vulnerability.

June 13, 2021 - Contacted the vendor to follow up and verify receipt of the vulnerability report.

July 8, 2021 - Requested disclosure assistance from Synack.

October 27, 2021 - Contacted ICS-CERT (CISA) for disclosure assistance.

November 2, 2021 - Received response from Johnson Controls.

January 16, 2022 - Requested ETA from vendor for patch/public security advisory.

January 20, 2022 - Received response from vendor indicating patches would be ready by March.

March 10, 2022 - Received notification of patch, coordinated with vendor and CISA for disclosure.

March 16, 2022 - JCI-PSA-2022-02 published by Johnson Controls.

April 5, 2022 - ICSA-22-095-02 published by CISA.

Clandestine Labs https://clandestinelabs.io
Previous

Advisory: Johnson Controls System Configuration Tool (SCT) and SCT Pro <= 14.2.2
Next

Advisory: Quest Policy Authority for Unified Communications - Multiple Vulnerabilities