Categories
Knowledge Support Support Categories Products exacqVision Hardware

Product Security Advisory – CVE-2021-3156

Overview
Ubuntu recently announced security vulnerabilities that impact the exacqVision Network Video Recorder versions which use the Ubuntu Linux operating system. These affect a built-in Linux application called “Sudo” which controls the provisioning of super user (administrator) access to the operating system which, under certain circumstances, could be leveraged by an attacker to achieve unauthorized privilege escalation. Johnson Controls recommends that customers apply the Ubuntu security updates to all affected exacqVision product deployments.

Impact
Under specific circumstances, a local attacker could use this issue to obtain unintended super user access to the underlying Ubuntu operating system.

Affected Versions
exacqVision is available in both Windows and Linux versions. This issue affects all unpatched versions of the Ubuntu operating system used on Linux based Z-Series and A-Series and all Q-Series, G-Series, Legacy LC-Series, and Legacy ELP-Series exacqVision Network Video Recorders (NVR), as well as Linux based C-Series Workstations and all S-Series Storage Servers.

Mitigation
Install the latest security updates for the Ubuntu operating system. Users may contact exacqVision technical support for assistance with updating their operating system.
https://exacq.com/support/techsupport/

Initial Publication
April 29, 2021

Last Published
April 29, 2021

Resources
Cyber Solutions Website – https://www.johnsoncontrols.com/cyber-solutions/security-advisories
CVE-2021-3156 – NIST National Vulnerability Database (NVD) and MITRE CVE® List
ICSA-21-119-03 – CISA ICS-CERT Advisories
Ubuntu Security Notice 1 – https://ubuntu.com/security/notices/USN-4705-1
Ubuntu Security Notice 2 – https://ubuntu.com/security/notices/USN-4705-2


Ubuntu 18.04 and 16.04 Update Instructions

From the Ubuntu Desktop, click on “Applications > System Tools > Terminal”

Ensure your system can access the internet. Run the following command to update the available software from Ubuntu’s repository.

sudo apt upgrade

To update all packages (including kernel updates), run the following command:

sudo apt dist-upgrade

NOTE: Alternatively, to only update what’s necessary to address this vulnerability, run the following command:

sudo apt upgrade sudo

You will be prompted asking if you would like to continue, type ‘Y’ and hit ‘Enter’.