CVE-2021-36200 : What You Need to Know
Learn about CVE-2021-36200 affecting Metasys ADS/ADX/OAS servers, its impact, affected versions, and mitigation steps. Update to patches 10.1.6 & 11.0.2 to secure your systems.
This article provides details about CVE-2021-36200, a vulnerability affecting Metasys ADS/ADX/OAS servers, discovered on July 21, 2022.
Understanding CVE-2021-36200
CVE-2021-36200 is a security vulnerability that allows an unauthenticated user to access the web API of Metasys ADS/ADX/OAS servers, potentially leading to user enumeration.
What is CVE-2021-36200?
The CVE-2021-36200 vulnerability affects Johnson Controls' Metasys ADS/ADX/OAS servers with versions prior to 10.1.6 and 11.0.2. It enables unauthorized users to access the web API and enumerate users.
The Impact of CVE-2021-36200
This vulnerability poses a medium severity risk, with a CVSS base score of 5.3. It could result in unauthorized access to sensitive information stored within the affected servers.
Technical Details of CVE-2021-36200
CVE-2021-36200 is classified under CWE-306, indicating 'Missing Authentication for Critical Function.'
Vulnerability Description
Under specific circumstances, unauthenticated users can exploit this vulnerability to access the web API of vulnerable Metasys ADS/ADX/OAS servers.
Affected Systems and Versions
Metasys ADS/ADX/OAS servers running versions earlier than 10.1.6 and 11.0.2 are vulnerable to CVE-2021-36200.
Exploitation Mechanism
The vulnerability allows attackers to bypass authentication mechanisms and gain unauthorized access to the servers' web API, facilitating user enumeration.
Mitigation and Prevention
To mitigate the CVE-2021-36200 vulnerability, users are advised to apply the following steps:
Immediate Steps to Take
- Update all Metasys ADS/ADX/OAS 10 versions with patch 10.1.6
- Update all Metasys ADS/ADX/OAS 11 versions with patch 11.0.2
Long-Term Security Practices
Implement robust authentication mechanisms, regularly monitor server logs for suspicious activities, and follow security best practices to prevent unauthorized access.
Patching and Updates
Regularly apply security patches and updates provided by Johnson Controls to address known vulnerabilities and enhance the security posture of Metasys ADS/ADX/OAS servers.