Overview:
Johnson Controls has confirmed a vulnerability impacting the exacqVision Web Service. The exacqVision Web Service is also included in the exacqVision Server Bundle along with the exacqVision Client and exacqVision Server. The exacqVision Web Service allows users to retrieve video and other data from exacqVision servers using a browser and mobile application. When passthrough / unauthenticated access is enabled, credentials for other systems connected to exacqVision could be exposed.
Impact:
Under certain configurations an unauthenticated remote user could be given access to credentials stored in the exacqVision Server.
Affected Versions:
- exacqVision Web Service version 21.06.11.0 or older.
Mitigation:
- Upgrade exacqVision Web Service to version 21.09.
- Current users can obtain the critical software update from the Software Downloads location at: https://www.exacq.com/support/downloads.php
Resources:
- JCI Cyber Solutions Product Security Advisories Website JCI‐PSA‐2021‐16 JCI-PSA-2021-16.docx (johnsoncontrohttps://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2021/jci-psa-2021-16.pdf?la=en&hash=46C02304209410715E488DF9B74EDCA45FFCB908ls.com)
- Common Vulnerabilities & Exposures (CVE) CVE-2021-27664 – National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) https://nvd.nist.gov/vuln/detail/CVE-2021-27664 (RESERVED but not posted yet) or MITRE CVE® List https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27664 (RESERVED but not posted yet)
- Cybersecurity & Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) Advisories ICSA‐21‐280‐01 https://us-cert.cisa.gov/ics/advisories/icsa-21-280-01