Metasys use of hardcoded RC2 key
CVE-2019-7594

6.8MEDIUM

Key Information:

Vendor: Johnson Controls
Status: Metasys Versions Prior To 9.0
Vendor: CVE Published:; 20 August 2019

🔔 Create Johnson Controls Vulnerability Alert

What is CVE-2019-7594?

Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP).

Affected Version(s)

Metasys prior to 9.0 9.0

References

https://www.johnsoncontrols.com/-/media/jci/cyber-solutio...

x_refsource_CONFIRM

https://www.us-cert.gov/ics/advisories/icsa-19-227-01

x_refsource_MISC

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2019
Vulnerability Reserved
Feb 7, 2019

Credit

[email protected]

JSON