Rewterz Threat Advisory – Microsoft Releases Security Updates to Address Remote Code Execution Vulnerabilities
August 15, 2019Rewterz Threat Advisory – CVE-2019-13520 – Fuji Electric Alpha5 Smart Loader Code Execution Vulnerability
August 16, 2019Rewterz Threat Advisory – Microsoft Releases Security Updates to Address Remote Code Execution Vulnerabilities
August 15, 2019Rewterz Threat Advisory – CVE-2019-13520 – Fuji Electric Alpha5 Smart Loader Code Execution Vulnerability
August 16, 2019Severity
Medium
Analysis Summary
CVE-2019-7593
Metasys ADS/ADX servers and NAE/NIE/NCE engines make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP). An attacker with access to the shared RSA key pair could decrypt captured network traffic between the Metasys ADS/ADX servers or NAE/NIE/NCE engines and the connecting SMP user client.
CVE-2019-7594
Metasys ADS/ADX servers and NAE/NIE/NCE engines make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP). An attacker with access to the hardcoded RC2 key could decrypt captured network traffic between the Metasys ADS/ADX servers or NAE/NIE/NCE engines and the connecting SMP user client.
Impact
Decrypt captured network traffic.
Affected Vendors
Johnson Controls
Affected Products
Metasys system versions prior to 9.0
Remediation
Johnson Controls recommends the users to upgrade to Version 9.0 or later and configure sites with trusted certificates.