CVE-2021-36204 : Exploit Details and Defense Strategies

An Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys allows API calls to expose credentials in plain text.

Understanding CVE-2021-36204

This CVE vulnerability affects Johnson Controls Metasys ADS/ADX/OAS versions prior to 10.1.6 and 11.0.3.

What is CVE-2021-36204?

Under certain circumstances, this vulnerability exposes credentials in plain text through API calls in Johnson Controls Metasys.

The Impact of CVE-2021-36204

The vulnerability could lead to unauthorized access to sensitive information, potentially compromising confidentiality, integrity, and availability.

Technical Details of CVE-2021-36204

The Insufficiently Protected Credentials issue is rated with a CVSSv3 base score of 7.8, indicating a high severity flaw with local attack vector and low complexity.

Vulnerability Description

The vulnerability in Metasys allows API calls to unveil credentials in plain text, exposing sensitive information to potential attackers.

Affected Systems and Versions

Johnson Controls Metasys ADS/ADX/OAS versions prior to 10.1.6 and 11.0.3 are affected by this vulnerability.

Exploitation Mechanism

Attackers can exploit this issue by making API calls to retrieve credentials, potentially leading to unauthorized access.

Mitigation and Prevention

To address CVE-2021-36204, it is crucial to update affected versions promptly with the recommended patches.

Immediate Steps to Take

Update all Metasys ADS/ADX/OAS 10 versions with patch 10.1.6.

Long-Term Security Practices

Regularly monitor security advisories and apply updates promptly to prevent exposure to known vulnerabilities.

Patching and Updates

Ensure all Metasys ADS/ADX/OAS 11 versions are updated with patch 11.0.3 to mitigate the risk of credential exposure.