Category: exacqVision Enterprise

Categories
Knowledge Support Support exacqVision Enterprise Categories Products

Solr vulnerability – CVE-2017-12629

Enterprise Manager

Enterprise Manager (formerly ESM) includes a version of Apache Solr which is vulnerable to attack allowing remote code execution.  Further information can be found here: https://nvd.nist.gov/vuln/detail/CVE-2017-12629

<br>

Mitigation: It is recommended that you follow the steps below appropriate for your Operating System.

For Windows

Note: File paths vary depending on installation, 64-bit or 32-bit.

<br>

  1. Launch services, then stop ‘solrJetty’
  2. Click the ‘Start’ button and type ‘Notepad.exe’.  Right-click notepad and select ‘Run as administrator’.
  3. Click ‘File’, then ‘Open’, and navigate to the following file based on your install location:
    • For 64-bit:”C:\exacqVisionESM\apache_solr\apache-solr\server\solr\collection1\conf\solrconfig.xml”
    • For 32-bit:”C:\exacqVisionESM\apache_solr\apache-solr\solr\collection1\conf\solrconfig.xml”
  4. Add the following highlighted section just above the “Function Parsers” line:
  5. If 64-bit, click ‘File’, then ‘Open’, and navigate to the following file: “C:\exacqVisionESM\apache_solr\apache-solr\bin\solr.cmd”
    • Find the line: set START_OPTS=%START_OPTS% !GC_TUNE! %GC_LOG_OPTS%
    • Below this line, add the following: set “START_OPTS=%START_OPTS% -Ddisable.configEdit=%true%”
  6. Save the file.
  7. Click ‘File’, then ‘Open’, and navigate to the following file based on your install location:
    • For 64-bit: Launch ‘regedit’ from start menu.
      • Go to HKEY_LOCAL_MACHINE->SYSTEM->ControlSet001->Services->solrJetty
      • Double click ImagePath
      • In value data put double quotes around C:\PROGRA~1\EXACQV~1\ENTERP~1\apache_solr/apache-solr\scripts\prunsrv.exe
    • For 32-bit: “C:\exacqVisionESM\apache_solr\apache-solr\scripts\serviceinstall.bat”
      • Find the entry:  ++JvmOptions=-XX:MaxPermSize=128M
      • Add a space after this entry and add: ++JvmOptions=-Ddisable.configEdit=true
      • Fine the quoted text: –Install=”C:\exacqVisionEsm\apache_solr/apache-solr\scripts\prunsrv.exe\”
      • Replace it with: –Install='”C:\exacqVisionEsm\apache_solr/apache-solr\scripts\prunsrv.exe\”‘
    • Note: Ensure there is a space after this entry.
  8. Save the file and close Notepad.
  9. Click the Windows ‘Start’ button and type ‘cmd’.  Right-click on “Command Prompt’ and select ‘Run as administrator’.
  10. Run the following two commands sequentially:
    • C:\exacqVisionEsm\apache_solr\apache-solr\scripts\serviceinstall.bat
    • C:\exacqVisionEsm\apache_solr\apache-solr\scripts\serviceinstall.bat INSTALL
  11. Launch services, then start ‘solrJetty’

<br>

For Linux

Note: File paths vary depending on installation, 64-bit or 32-bit.

  1. Open a Terminal.
  2. Stop ESMWebservice with the following command:
    • sudo /usr/local/exacq/esm/scripts/ESMWebservice stop
    • Enter your password and press “Enter”
  3. Open ‘gedit’ (or your preferred text editor) with ‘sudo’ privileges with the following command: sudo gedit
  4. Click ‘File’, then ‘Open’, and navigate to the following file based on your install location:
    • For 64bit: “/usr/local/exacq/esm/apache_solr/apache-solr/server/solr/collection1/conf/solrconfig.xml”
    • For 32bit: “/usr/local/exacq/esm/apache_solr/apache-solr/solr/collection1/conf/solrconfig.xml”
  5. Add the following highlighted section just above the “Function Parsers” line:
  6. Save the file.
  7. Click ‘File’, then ‘Open’, and navigate to the following file based on your install location:
    • For 64-bit: “/usr/local/exacq/esm/apache_solr/apache-solr/bin/solr”
      • Before the line that reads: SOLR_START_OPTS
      • Add the line: DISABLE_CONFIG_EDIT=”true”
      • Find the line with “${SOLR_HOST_ARG[@]}” “-Duser.timezone=$SOLR_TIMEZONE” \
      • Change the line to:
        “${SOLR_HOST_ARG[@]}” “-Duser.timezone=$SOLR_TIMEZONE” “-Ddisable.configEdit=$DISABLE_CONFIG_EDIT” \
    • For 32-bit:  “/usr/local/exacq/esm/apache_solr/apache-solr/scripts/ctl.sh”
      • After the line: SOLR_PID=””
      • Add a new line: DISABLE_CONFIG_EDIT=”true”
      • Change the line: SOLR=
      • To: SOLR=”$JAVABIN -Dsolr.solr.home=$SOLR_HOME -Djetty.logs=$INSTALL_PATH/logs/ -Djetty.home=$INSTALL_PATH/ -jar $INSTALL_PATH/start.jar $INSTALL_PATH/etc/jetty.xml -Ddisable.configEdit=$DISABLE_CONFIG_EDIT”
  8. Save the file and close gedit.
  9. Back in the terminal, run the following command
    • sudo /usr/local/exacq/esm/apache_solr/ctlscript.sh restart
  10. Restart ESMWebservice with the following command:
    • sudo /usr/local/exacq/esm/scripts/ESMWebservice start

<br>

Solr-vulnerability-CVE-2017-12629.pdf
Categories
Knowledge Support exacqVision Enterprise Support Categories Products

Modifying ESM Security Access

Tyco Security Solutions has confirmed a vulnerability in the exacqVision Enterprise System Manager (ESM) v5.12.2 application whereby unauthorized privilege escalation can be achieved and providing guidance on mitigation actions to avoid a potential exploit.

<br>

Scope:  This vulnerability impacts exacqVision ESM v5.12.2 and all prior versions of ESM running on a Windows operating system (except Windows Server). This issue does not impact Linux deployments with permissions that are not inherited from the root directory.

<br>

Mitigation:  The following mitigating steps are recommended for Windows 10 Desktop OS. Other versions of Windows may have different nomenclature, but the same mitigating steps are recommended.

<br>

Launch a command prompt with Administrator privileges, then run the following 4 commands sequentially:

  • cacls C:\exacqVisionESM /e /R “Authenticated Users”
  • cacls C:\exacqVisionESM\uninstall.exe /e /R “Authenticated Users”
  • cacls C:\exacqVisionESM\EnterpriseSystemManager /e /T /R “Authenticated Users”
  • cacls C:\exacqVisionESM\apache_solr /e /T /R “Authenticated Users”

<br>

Open the ‘Services’ applet and restart all of the following:

  • ESMImporter
  • ESMDatarolloff
  • ESMSendemail
  • ESMWebservice
  • solrJetty
  • solrApache

<br>

Fix:  Tyco Security Solutions is working on a fix that will be incorporated into a future version of the exacqVision ESM that will not require the foregoing manual mitigation process to be executed.

<br>

References: CPP-PSA-2019-01 – Please visit the Tyco Security Solutions, Cyber Protection website to register for and download security advisories.

<br>

Modifying-ESM-Security-Access.pdf
Categories
Knowledge Support exacqVision Enterprise Support Categories Products

Configuring live video streams in Enterprise Manager

Live video streaming is available in Enterprise Manager (EM), formerly known as Enterprise System Manager (ESM). This is useful for examining camera stream quality through the EM interface but also used for EM’s Camera Inspection feature.

Older versions relied on the ExacqVision Web Service to stream video, but beginning in ESM version 5.12, the ExacqVision Web Service is no longer required. Video is now directly streamed from the ExacqVision Server.

To accomplish this, the user account logged into Enterprise Manager must have specific privileges and permissions enabled.

NOTE: It is normally understood that Administrator accounts have privileges to perform everything possible. However, within Enterprise Manager live video streaming while logged in ad admin is prevented. This is both a function of the fact that EM admin accounts have no server account as well as a privacy feature. Instead, you will need to log into EM as a user other than the EM administrator. This account must have Live Viewing privileges to the cameras of interest.

Creating a User Account for Live Viewing

As mentioned above, the user you log into Enterprise Manager with must have Live Viewing privileges to the cameras of interest on each server involved. If you wish to provide access to existing users, be sure that they have Live Viewing Privileges enabled for any video inputs they need to view.

  1. Click on Users from the navigation menu.<br><br>
  2. Click on the Add User icon from the Users toolbar.
    <br><br>
  3. If creating a new user account, select a Server User Role with Live Viewing privileges. The pre-configured roles with Live Viewing privileges include:
    • Admin
    • Power User
    • Live Only
    • Live + Search<br><br>
  4. If you choose to create a Custom User Role, either on the server itself or through EM’s User Role’s page, enable Allow Live Viewing Privileges, and provide access to the specific video inputs under Permissions.
    <br><br>
  5. Select a role, as needed, for each ExacqVision Server or server group listed.<br><br>
  6. After making changes, allow some time for the changes to sync across your systems. <br><br>

Configuring a New Server for Live Viewing

  1. Click on Servers from the navigation panel.<br><br>
  2. Click the Add Server link.<br><br>
  3. Complete the information about the server as needed.<br><br>
  4. Enable the check box next to Enable Live Streaming.
    <br><br>
  5. Click Save to save your changes when done.<br><br>

Configuring an Existing Server for Live Viewing

  1. Click on Servers from the navigation panel.<br><br>
  2. From the Server List, locate the server of interest and click it to reach the system information page.<br><br>
  3. Click the Edit icon from the system toolbar.
    <br><br>
  4. Enable the check box next to Enable Live Streaming.
    <br><br>
  5. Click Apply to save your changes when done.<br><br>

Viewing Live Streams

  1. Login to Enterprise Manager as the non-Admin EM user.<br><br>
  2. Navigate to a camera, by one of the following:
    • Use the Cameras link from the navigation menu on the left, then click the Camera name from the Cameras List
    • From the Servers List, open the server details page of a particular server and scroll to the list of Cameras on that server, then click the link to the Camera name.<br><br>
  3. Once on the Camera details page, scroll to the Video Feed section.<br><br>
  4. Click on the Play Video icon to start streaming.

    NOTE: If the account you are logged into EM with does not have privileges to view live video a “No live privilege on the server” message will be displayed. See above information on creating or logging in with an appropriate account.<br><br>
  5. Selecting the link, Use current image as camera image, below the video feed will set the current view as a reference thumbnail at the top of the camera details page as well as provide a reference image when using the Camera Inspection tool within EM.
    <br><br>

<br>

Categories
Knowledge Support Support exacqVision Enterprise Categories Products

ESM 5.4 Displays Incorrect User Status on User List Page

Symptom:

The User List page always shows a red ‘X’, indicating the user has a conflict. 

<br>

Problem:

This shows incorrectly even if the user is sync’d properly. 

<br>

Solution:

Update ESM to version 5.5.6 or higher. 

<br>

ESM-5.4-Displays-Incorrect-User-Status-on-User-List-Page-2.pdf
Categories
Knowledge Support Support exacqVision Enterprise Categories Products

Unable to Edit Web Service Scheduled Update in ESM

Symptom:

When scheduling an update to a web service through ESM, a user cannot edit the scheduled update. 

<br>

Problem:

Clicking on the Edit option for a scheduled update to a web service from within ESM results in an error. 

This can be seen from the Web Services page when clicking to the Web Service Actions display, which will list upcoming actions. 

<br>

Solution:

Update ESM to version 5.6 or higher. 

Alternatively, the workaround is to delete the scheduled update and create a new scheduled update with the date/time desired. 

<br>

Unable-to-Edit-Web-Service-Scheduled-Update-in-ESM-1.pdf
Categories
User Guides exacqVision Enterprise Categories Products

How to Manually Dump the ESM Schema

If you want extract the schema of ESM, perform the following steps:

1.  Navigate to the install folder:

      Windows:  C:\exacqVisionESM\EnterpriseSystemManager\

      Linux:  /usr/local/exacq/esm/

<br>

2.  Execute the following:

      Windows:   installer.exe generatescripts PATH\FILENAME 

      Linux:   ./installer generate scripts PATH/FILENAME 

<br>

How-to-Manually-Dump-the-ESM-Schema.pdf
Categories
Knowledge Support Support exacqVision Enterprise Categories Products

Using ESM with MS SQL Server

For ESM to run successfully with an MS SQL Server database, the user role that ESM is using should, at minimum, have the following permissions:

  • ddladmin
  • dbwriter
  • dbreader

<br>

Categories
Knowledge Support Support exacqVision Enterprise Categories Products

Distorted login page for deleted users actively on ESM webpage

Description

User that is deleted while logged into ESM browser, will see a distorted login page

<br>

Tested Version

1.11.2.50128

<br>

Platform

All.

<br>

Steps to reproduce

  • Log into ESM as a user.
  • With an ESM admin, delete the user from step above.

<br>

Expected result

User sees a login page.

<br>

Actual result

User sees a distorted layout login page.

<br>

Work around

Refresh the page.

<br>

Distorted-login-page-for-deleted-users-actively-on-ESM-webpage.pdf
Categories
Knowledge Support exacqVision Enterprise Support Categories Products

Changing the EM Web Service port

Enterprise Manager (EM), formerly known as Enterprise System Manager (ESM), uses Apache to provide the underlying web server.

During initial install a graphical dialogue will allow you to change your port numbers.

If you’ve already installed the application you may wish to perform this change manually.

The first step to manual editing is to find the location of the config file where the port numbers are held. This depends on both the platform (operating system) and version of the Web Service you have installed. The default installation location for the configuration file httpd.conf is as follows:

Windows:

  • HTTP:
    • C:\Program Files\exacqVision\EnterpriseManager\apache\conf\https.conf
  • HTTPS:
    • C:\Program Files\exacqVision\EnterpriseManager\apache\extra\httpd-ssl.conf

Linux:

  • HTTP:
    • /usr/local/exacq/em/apache/conf/httpd.conf
  • HTTPS:
    • /usr/local/exacq/em/apache/conf/extra/httpd-ssl.conf

<br><br>
Determine where this file is for your install before continuing.

Once you have found the file, open it using your editor of choice (be sure to do so with administrative privileges) and perform either of the following depending on its name:

For httpd.conf (HTTP port) and httpd-ssl.conf (HTTPS port):

  1. Find the Listen directive in the file
    • For example, if the current port is 80, the line should read Listen 80
  2. Modify the port number as desired
  3. Save the file and restart the following services:
    • ExacqVision Enterprise Manager Apache
    • ExacqVision Enterprise Manager Web Service

<br>

Categories
Knowledge Support exacqVision Enterprise Support exacqVision Client exacqVision Server exacqVision Mobile exacqVision Webservice Categories Products

Exacq Software/Service Connections Diagram

This diagram illustrates how the various Exacq applications work together and the ports used to communicate.

Internal (LAN)

Remote (WAN)

In cases where external users plan to connect for remote monitoring, you will may need to configure port forwarding on your router to allow traffic on those ports to pass through. exacqVision provides several ways to connect to your system from outside of your site’s LAN.

  • The Desktop Client software requires port forwarding.
  • Users of the exacqVision Mobile app may configure port forwarding or use the Remote Connectivity feature, configured within the Desktop Client.
  • Users connecting with the Web Browser Client or the Exacq Mobile 3 app may configure port forwarding, or use the Relay Service, configured within the exacqVision Web Service.

Remote Management

In the case of the Integrator Service Portal (ISP), this may connect to the server using an inbound connection to port 22609, or the server may be configured for an outbound connection to reach out to the ISP.

Additional Links

See also: exacqVision Default Ports

See also: Example Network Diagram for Multi-NIC Systems

<br>