CVE-2021-36203 : Security Advisory and Response

Johnson Controls Metasys SCT Pro is a vulnerability that may allow an attacker to identify and forge requests to internal systems. Learn about its impact, technical details, and mitigation steps.

Understanding CVE-2021-36203

This vulnerability affects the Metasys System Configuration Tool (SCT) and Metasys System Configuration Tool Pro (SCT Pro) by Johnson Controls. It was reported by Tony West and Scott Ponte to Johnson Controls, who then reported it to CISA.

What is CVE-2021-36203?

The affected product may allow an attacker to identify and forge requests to internal systems by way of a specially crafted request.

The Impact of CVE-2021-36203

With a CVSS base score of 5.3, this medium-severity vulnerability has a low impact on confidentiality, no impact on integrity, and requires no privileges for exploitation.

Technical Details of CVE-2021-36203

Vulnerability Description

The vulnerability is classified as CWE-918 - Server-Side Request Forgery (SSRF). It has a low attack complexity and vector, impacting systems via network.

Affected Systems and Versions

The Metasys System Configuration Tool (SCT) and Metasys System Configuration Tool Pro (SCT Pro) versions less than 14.2.2 are affected.

Exploitation Mechanism

Attackers can exploit this vulnerability through specially crafted requests, allowing them to identify and forge requests to internal systems.

Mitigation and Prevention

To mitigate CVE-2021-36203, Johnson Controls recommends the following steps:

Immediate Steps to Take

Update SCT/SCT Pro with Patch 14.2.2
Take proper steps to minimize risks to all building automation systems.

Long-Term Security Practices

Implement robust security measures such as network segmentation, least privilege access, and continuous monitoring to prevent such vulnerabilities.

Patching and Updates

For more detailed mitigation instructions, refer to Johnson Controls Product Security Advisory JCI-PSA-2022-03 v1.