CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-7594 – Metasys use of hardcoded RC2 key
https://notcve.org/view.php?id=CVE-2019-7594
20 Aug 2019 — Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP). Los servidores Metasys® ADS/ADX y los motores NAE/NIE/NCE en versiones anteriores a la 9.0 utilizan una clave RC2 codificada para ciertas operaciones de cifrado que involucran el Portal de Administración del Sitio (SMP). • https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2019/jci-psa-2019-06-v1-metasys-icsa-19-227-01.pdf • CWE-321: Use of Hard-coded Cryptographic Key CWE-798: Use of Hard-coded Credentials •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-7593 – Metasys use of shared RSA key pairs
https://notcve.org/view.php?id=CVE-2019-7593
20 Aug 2019 — Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP). Los servidores Metasys® ADS/ADX y los motores NAE/NIE/NCE en versiones anteriores a la 9.0 hacen uso de un par de claves RSA compartidas para ciertas operaciones de cifrado que involucran el Portal de administración del sitio (SMP). • https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2019/jci-psa-2019-06-v1-metasys-icsa-19-227-01.pdf • CWE-323: Reusing a Nonce, Key Pair in Encryption CWE-798: Use of Hard-coded Credentials •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-10624 – Johnson Controls Metasys and BCPro Generation of Error Message Containing Sensitive Information
https://notcve.org/view.php?id=CVE-2018-10624
01 Aug 2018 — In Johnson Controls Metasys System Versions 8.0 and prior and BCPro (BCM) all versions prior to 3.0.2, this vulnerability results from improper error handling in HTTP-based communications with the server, which could allow an attacker to obtain technical information. En Johnson Controls Metasys System en versiones 8.0 y anteriores y BCPro (BCM) en todas las versiones anteriores a la 3.0.2, esta vulnerabilidad resulta de un manejo de errores incorrecto en las comunicaciones HTTP con el servidor, lo que podrí... • http://www.securityfocus.com/bid/104937 • CWE-209: Generation of Error Message Containing Sensitive Information CWE-388: 7PK - Errors •