CVE-2020-9044 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2020-9044?

CVE-2020-9044 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-9044?

Check the references section above for vendor advisories and patch information. Affected products include: Johnsoncontrols Metasys Application And Data Server, Johnsoncontrols Metasys Extended Application And Data Server, Johnsoncontrols Metasys Lonworks Control Server, Johnsoncontrols Metasys Open Application Server, Johnsoncontrols Metasys Open Data Server.

Vulnerability Description

XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Johnsoncontrols	Metasys Application And Data Server	<= 10.1
Johnsoncontrols	Metasys Extended Application And Data Server	<= 10.1
Johnsoncontrols	Metasys Lonworks Control Server	<= 10.1
Johnsoncontrols	Metasys Open Application Server	10.1
Johnsoncontrols	Metasys Open Data Server	<= 10.1
Johnsoncontrols	Metasys System Configuration Tool	<= 13.2
Johnsoncontrols	Nae55 Firmware	9.0.1
Johnsoncontrols	Nae55	-
Johnsoncontrols	Nie55 Firmware	9.0.1
Johnsoncontrols	Nie55	-
Johnsoncontrols	Nie59 Firmware	9.0.1
Johnsoncontrols	Nie59	-
Johnsoncontrols	Nae85 Firmware	<= 10.1
Johnsoncontrols	Nae85	-
Johnsoncontrols	Nie85 Firmware	<= 10.1
Johnsoncontrols	Nie85	-
Johnsoncontrols	Ul 864 Uukl Firmware	8.1
Johnsoncontrols	Ul 864 Uukl	-
Johnsoncontrols	Ord-C100-13 Uuklc Firmware	8.1
Johnsoncontrols	Ord-C100-13 Uuklc	-

Related Weaknesses (CWE)

CWE-611

References

https://www.johnsoncontrols.com/cyber-solutions/security-advisoriesVendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-20-070-05Third Party AdvisoryUS Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisoriesVendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-20-070-05Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2020-9044?

CVE-2020-9044 is a vulnerability with a CVSS score of 7.5 (HIGH). XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys App...

How severe is CVE-2020-9044?

CVE-2020-9044 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-9044?

Check the references section above for vendor advisories and patch information. Affected products include: Johnsoncontrols Metasys Application And Data Server, Johnsoncontrols Metasys Extended Application And Data Server, Johnsoncontrols Metasys Lonworks Control Server, Johnsoncontrols Metasys Open Application Server, Johnsoncontrols Metasys Open Data Server.