CVE-2020-9044 : Exploit Details and Defense Strategies
Learn about CVE-2020-9044, an XXE vulnerability in Johnson Controls' Metasys products, potentially leading to DoS attacks or file harvesting. Find mitigation steps here.
A vulnerability in the Metasys family of products by Johnson Controls could lead to XXE attacks, potentially enabling DoS attacks or file harvesting.
Understanding CVE-2020-9044
This CVE involves an XXE vulnerability in various Metasys products, impacting versions 10.1 and prior.
What is CVE-2020-9044?
CVE-2020-9044 is an XXE vulnerability in Johnson Controls' Metasys products, allowing attackers to exploit Web Services for DoS attacks or file retrieval.
The Impact of CVE-2020-9044
The vulnerability has a CVSS base score of 7.5 (High severity) with a potential for DoS attacks and ASCII file harvesting.
Technical Details of CVE-2020-9044
This section provides detailed technical insights into the vulnerability.
Vulnerability Description
The vulnerability allows threat actors to exploit XML External Entity references in Metasys products.
Affected Systems and Versions
- Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior
- Metasys Extended Application and Data Server (ADX) versions 10.1 and prior
- Metasys Open Data Server (ODS) versions 10.1 and prior
- Metasys Open Application Server (OAS) version 10.1
- Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6
- Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6
- Metasys NAE85 and NIE85 versions 10.1 and prior
- Metasys LonWorks Control Server (LCS) versions 10.1 and prior
- Metasys System Configuration Tool (SCT) versions 13.2 and prior
- Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1
Exploitation Mechanism
The vulnerability can be exploited through malicious XML External Entity references, potentially leading to DoS attacks or file access.
Mitigation and Prevention
Protect your systems from CVE-2020-9044 with the following measures:
Immediate Steps to Take
- Apply the patch provided by Johnson Controls
- Contact your local branch office for remediation assistance
Long-Term Security Practices
- Regularly update and patch all software and firmware
- Conduct security assessments and audits periodically
Patching and Updates
Johnson Controls has released a patch to address this vulnerability. Ensure timely application to secure your systems.