CVE-2018-10624 : Exploit Details and Defense Strategies
Learn about CVE-2018-10624 affecting Johnson Controls Metasys System and BCPro (BCM). Find out the impact, affected versions, and mitigation steps to secure your systems.
Johnson Controls Metasys and BCPro Generation of Error Message Containing Sensitive Information
Understanding CVE-2018-10624
This CVE involves a vulnerability in Johnson Controls Metasys System Versions 8.0 and earlier, as well as BCPro (BCM) versions prior to 3.0.2, related to improper error handling in HTTP-based communications.
What is CVE-2018-10624?
The vulnerability stems from inadequate error handling during server communication via HTTP, potentially enabling attackers to access technical information.
The Impact of CVE-2018-10624
The vulnerability could allow malicious actors to obtain sensitive technical data from affected systems, posing a risk to confidentiality and system integrity.
Technical Details of CVE-2018-10624
Vulnerability Description
The flaw in Johnson Controls Metasys System and BCPro (BCM) arises from improper error handling in HTTP-based communications, leading to information exposure.
Affected Systems and Versions
- Metasys System Versions 8.0 and prior
- BCPro (BCM) all versions prior to 3.0.2
Exploitation Mechanism
Attackers can exploit the vulnerability by manipulating HTTP-based communications to extract technical information from the server.
Mitigation and Prevention
Immediate Steps to Take
- Upgrade to the latest product version (9.0) for Metasys System to address the issue remediated in v8.1 (April 2016).
- Upgrade to the latest versions of BCPro Workstation and BACnet Router/Gateway to mitigate the vulnerability.
Long-Term Security Practices
- Regularly update software and firmware to patch known vulnerabilities.
- Implement network segmentation and access controls to limit exposure to potential threats.
Patching and Updates
- Johnson Controls recommends upgrading to the latest product versions to mitigate the vulnerability.