CVE-2019-7593

NVD

https://nvd.nist.gov/vuln/detail/CVE-2019-7593

CWE

https://cwe.mitre.org/data/definitions/323.html

Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP).

Weakness

Nonces should be used for the present occasion and only once.

Affected Software

Name	Vendor	Start Version	End Version
Metasys_system	Johnsoncontrols	*	9.0 (excluding)

Potential Mitigations

References

https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2019/jci-psa-2019-06-v1-metasys-icsa-19-227-01.pdf
https://www.us-cert.gov/ics/advisories/icsa-19-227-01
https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2019/jci-psa-2019-06-v1-metasys-icsa-19-227-01.pdf
https://www.us-cert.gov/ics/advisories/icsa-19-227-01

Reusing a Nonce, Key Pair in Encryption

Weakness

Affected Software

Potential Mitigations

References