Tag: Ubuntu

Categories
Knowledge Support Support Categories exacqVision Hardware Products

Product Security Advisory – CVE-2021-3156

Overview
Ubuntu recently announced security vulnerabilities that impact the exacqVision Network Video Recorder versions which use the Ubuntu Linux operating system. These affect a built-in Linux application called “Sudo” which controls the provisioning of super user (administrator) access to the operating system which, under certain circumstances, could be leveraged by an attacker to achieve unauthorized privilege escalation. Johnson Controls recommends that customers apply the Ubuntu security updates to all affected exacqVision product deployments.

Impact
Under specific circumstances, a local attacker could use this issue to obtain unintended super user access to the underlying Ubuntu operating system.

Affected Versions
exacqVision is available in both Windows and Linux versions. This issue affects all unpatched versions of the Ubuntu operating system used on Linux based Z-Series and A-Series and all Q-Series, G-Series, Legacy LC-Series, and Legacy ELP-Series exacqVision Network Video Recorders (NVR), as well as Linux based C-Series Workstations and all S-Series Storage Servers.

Mitigation
Install the latest security updates for the Ubuntu operating system. Users may contact exacqVision technical support for assistance with updating their operating system.
https://exacq.com/support/techsupport/

Initial Publication
April 29, 2021

Last Published
April 29, 2021

Resources
Cyber Solutions Website – https://www.johnsoncontrols.com/cyber-solutions/security-advisories
CVE-2021-3156 – NIST National Vulnerability Database (NVD) and MITRE CVE® List
ICSA-21-119-03 – CISA ICS-CERT Advisories
Ubuntu Security Notice 1 – https://ubuntu.com/security/notices/USN-4705-1
Ubuntu Security Notice 2 – https://ubuntu.com/security/notices/USN-4705-2


Ubuntu 18.04 and 16.04 Update Instructions

From the Ubuntu Desktop, click on “Applications > System Tools > Terminal”

Ensure your system can access the internet. Run the following command to update the available software from Ubuntu’s repository.

sudo apt upgrade

To update all packages (including kernel updates), run the following command:

sudo apt dist-upgrade

NOTE: Alternatively, to only update what’s necessary to address this vulnerability, run the following command:

sudo apt upgrade sudo

You will be prompted asking if you would like to continue, type ‘Y’ and hit ‘Enter’.

Categories
Knowledge Support Support exacqVision Server Categories Products

Enabling Onboard Keyboard in exacqVision Ubuntu 10.04 and 12.04 Images

In 2013, the exacqVision Ubuntu 10.04 image was rebuilt, and the onboard keyboard configuration was not in included in the rebuild. Affected images can be easily identified by the Exacq wallpaper displayed on the Desktop. Also, because of an issue with onboard packages found in the Ubuntu repository, the onscreen keyboard was not included in exacqVision 12.04 images created before April 2015.

To enable the onboard keyboard, you must install one of the attached scripts for your Ubuntu version using the following instructions.

<br>

Ubuntu 10.04

To install the 10.04 image, complete the following steps:

  1. Log in to the system as an administrator.
  2. Download the ConfigOnboardKeyboard.sh script attached to this article and save it to the /tmp directory.
  3. Open a Terminal window and type cd /tmp.
  4. Change the script to executable by running chmod 775 ConfigOnboardKeyboard.sh.
  5. Run sudo ./ConfigOnboardKeyboard.sh.
  6. Restart the server.

The onboard keyboard can now be opened by clicking the center key of the mouse.

<br>

Ubuntu 12.04

NOTE: The 12.04 image can also run a script, but it must be run from the local admin account. New packages from a PPA repository are added, which means Internet access is required.

The 12.04 script does the following:

  1. Adds a PPA repository for onboard with updated packages.
  2. Installs onboard and supporting packages.
  3. Updates the LightDM login screen to show the user accessibility applet.
  4. Adds an onboard applet icon to top panel of the user account. The onboard keyboard can be run from that panel.

<br>

To install the 12.04 image, complete the following steps:

  1. Log in to the system as an administrator.
  2. Download the 1204ConfigOnboardKeyboard.sh script attached to this article and save it to the /tmp directory.
  3. Open a Terminal window and type cd /tmp.
  4. Change the script to executable by running chmod 775 12.04ConfigOnboardKeyboard.sh.
  5. Run sudo ./12.04ConfigOnboardKeyboard.sh.
  6. Close the Terminal window.
  7. Log out as the administrator and return to the LightDM login screen. The Universal Access icon is located in the top right of the panel. Click the icon for access to the onboard keyboard.
  8. When logged in to the user account, the onboard icon appears in the top panel. You can move the keyboard around using the cross double arrow key on the right side of the keyboard.
  9. When logged in as the administrator, the onboard keyboard is disabled by default. You must click on the onboard keyboard shortcut on the Desktop.

<br>

ConfigOnboardKeyboard Link: https://support.americandynamics.net/#/file-manager/file/00bde78e-6b3d-4f59-91bb-2769c0d6e0ba/config-onboard-keyboard-sh

<br>

1204ConfigOnboardKeyboard Link: https://support.americandynamics.net/#/file-manager/file/c9764721-227b-4350-a354-10a09448bf8e/1204-config-onboard-keyboard-sh

Categories
Knowledge Support Support Categories Products exacqVision Integrations

Factory defaulted Illustra cameras cannot be discovered by exacqVision running on Ubuntu

Symptom

When Illustra cameras are factory defaulted they have a gateway value of 0.0.0.0 in the network settings. Ubuntu servers use a mechanism called “reverse path filtering” set

<br>

Affected platforms

Illustra Pro, Flex and Essentials cameras
Ubuntu 10.04, 12.04, 14.04

<br>

Workaround

Edit the network security configuration file in /etc/sysctl.d/
Change the value from Strict mode (1) to Loose mode (2) for all interfaces0 – No source validation.

0 – No source validation.
1 – Strict mode as defined in RFC3704 Strict Reverse Path
Each incoming packet is tested against the FIB and if the interface
is not the best reverse path the packet check will fail.
By default failed packets are discarded.
2 – Loose mode as defined in RFC3704 Loose Reverse Path
Each incoming packet’s source address is also tested against the FIB
and if the source address is not reachable via any interface
the packet check will fail.

The exacqVision 7.2 service installer is being modified to set this value to 2 during install of exacqVision.

Categories
Documentation Quick Start Guides exacqVision Server Categories Products

exacqVision Server/Client OS: Linux Open LDAP

exacqVision-Server_Client-OS_-Linux-Open-LDAP.pdf
Categories
User Guides exacqVision Client Categories

Changing the Kiosk User Language On Ubuntu/Linux

Systems built by Exacq with Ubuntu 16.04 and higher will have an ‘Exacq Kiosk User’ icon on the administrator’s Desktop. More details on Kiosk users can be found at KB:22542.

Click to run this program.

There should be no users listed here when you begin. If there are already Kiosk user accounts created, the following configuration steps will only apply to new accounts created. If you wish to use an account name you have already added, you will need to remove it and add it back in later steps. 

To remove an existing Kiosk user account, enter the name again and you will be asked if you wish to Delete the account. Click on ‘Delete this User’.

Once you have removed the Kiosk user account(s), you will be returned to the Kiosk user setup program, click the ‘Quit’ button. 

You should also check the ‘User and Group’ settings to see if other user accounts exist. This can be found under the Applications > System Tools > Administration menu on the Desktop. 

In the top-right corner of the Desktop, click on the monitor icon and select ‘System Settings…’.

Open the ‘Language Support’ option

In the ‘Language Support’ dialog you will see some languages may already be installed. Click on ‘Install / Remove Languages’ if you do not see your desired language listed.

Scroll through the list of languages and check mark and languages you wish to install. You may select more than one if needed. Click ‘Apply’. You will be prompted to enter administrator credentials. 

When you have returned to the ‘Language Support’ dialog you will need to find the language you installed in the list. Click and drag the language name to the top of the list, as seen in the example below where ‘Deutsch’ has been placed above ‘English’ in the list. Despite being grayed out you can still drag these to the top.

When the language chosen has been moved to the top of the list, click the button labeled ‘Apply System-Wide’. The change will not take effect until the user logs in again. Click the ‘Close’ button. 

From the Desktop, log out of the system as administrator and log back in with the same administrative account. You should now see that the exacqVision Client appears in the language chosen. 

Now you will create your Kiosk user. Click on the ‘Exacq Kiosk User’ icon on the Desktop again. 

When the dialog appears, enter the name of the user account you wish to create and click ‘OK’.

A new dialog will appear. Enter the password you wish to assign to the Kiosk user. Change the drop-down menu to the language locale you want to assign to the user and click ‘OK’.

When you have returned to the ‘Exacq Kiosk User’ dialog, click on the ‘Quit’ button to return to the Desktop.

Open the Terminal program. 

From the Terminal prompt you will create an SSH session to the Kiosk user’s account. At the prompt, type:

 ssh user@localhost  

In this example the Kiosk user was named ‘user’, replace ‘user’ with the name you gave the account in the previous steps. 

When you press ‘Enter’ you will be prompted to enter the password you assigned to the Kiosk user in the previous steps. Type this password and press ‘Enter’.  NOTE: The Linux Terminal does not display text when entering passwords, but you are entering keystrokes. 

When the prompt returns, type:

 cd /home/$USER  

Press ‘Enter’. At the next prompt, type:

 nano .pam_environment  

Press ‘Enter’. 

You should now see the following:

This is the nano text editor in Terminal. You may use the arrow keys on the keyboard to move the cursor. Delete all but the second line, reading ‘LC_TIME=XX_XX.UTF-8’, where XX_XX specifics the language. The final file should appear like the example below:

Press ‘CTRL+X’ on the keyboard to exit the nano editor.

When prompted below, press ‘Y’ and then ‘Enter’. 

Another prompt appears, press ‘Enter’.

You may now close the Terminal and log out from the Desktop. When you log back into the operating system as your new Kiosk user the exacqVision Client will now display in your chosen language. 

<br>

Changing-the-Kiosk-User-Language-On-Ubuntu-Linux.pdf
Categories
Knowledge Support Categories exacqVision Hardware

Setting up the Kiosk User for ExacqVision Systems

Windows systems built by ExacqVision no longer ship with a default ‘admin’ and restricted ‘user’ account beginning with Windows 10.

Some early Ubuntu 16.04 images still contain the ‘admin’ account, but do not have the restricted ‘user’ (this was changed in a later image will not have either ‘admin’ or ‘user’). 

This change is due to security compliance requirements. 

The first time a system boots, the user will be asked to create a custom user account with admin privileges. 

To enable similar functionality of the old restricted ‘user’ account, you will need to enable ‘Kiosk Mode’ by following the instructions below, based on your operating system.

<br>

Windows 10

1. Access the Desktop for your custom user created when the machine first booted.

2. Double-click the Setup Kiosk Mode script.

3. Follow the prompts to set a custom account name, enter the desired password twice, the use Y or N to determine if the OS will automatically boot to the new restricted Kiosk user.

To undo the changes, use the Undo Kiosk Mode script and follow the prompts.

<br>

Ubuntu 16.04 & higher

1. Access the Desktop for your custom user created when the machine first booted.

2. Use the Exacq Kiosk User either on the Desktop, or from the menu Applications > Exacq.

3. Type in your desired restricted user account name.

NOTE: Ubuntu has the following restrictions for user names.

  • Must start with a lowercase letter
  • May only contain lowercase letters, underscore (_), and dash (-)
  • May optionally end with a dollar sign ($)

4. Enter your desired password, then check the Auto Login User option if the OS will automatically boot to the new restricted Kiosk user.

5. To undo the changes, run the same Exacq Kiosk User link on the Desktop and type in the name of the user you want to remove or modify.

<br><br>

Troubleshooting

In the event you get an Error similar to the following check the user name to ensure it meets Ubuntu’s restrictions.

  • Must start with a lowercase letter
  • May only contain lowercase letters, underscore (_), and dash (-)
  • May optionally end with a dollar sign ($)

<br>

Categories
Knowledge Support Categories Products exacqVision Integrations

ExacqPacq16 – Service Pack for exacqVision Systems running Ubuntu 16.04.

Several changes and fixes to the exacqVision Ubuntu 16.04 image have been rolled into a single installer – ExacqPacq16. 

Information regarding the changes and the version that were included are available below.  You can check the current Image version and what exacqpacq16 versions (if any) on your Linux machine by running the following in terminal:

head /Release_Notes.txt

head /Release-Notes_ExacqPacq16.txt

<br>

To install on an existing system, use the following steps:

1. Access the hidden downloads page at https://exacq.com/files

2. Download ‘exacqpacq16’ under ‘Ubuntu Service Pack > 16.04″

3. On the exacqVision Server, login to the admin Desktop.

4. Copy the ‘exacqpacq16’ file to the Desktop.

5. Run the following 3 commands in a terminal:

cd /home/admin/Desktop

sudo chmod 775 exacqpacq16

sudo ./exacqpacq16

6. Reboot

<br>

Versions

Version 18-10-06-01

* updated exacq Kiosk to version 18.07.09.04
* updated exacq linux utilities to version 18.08.22.01
* updating exacq vision una to version 18.08.09.01
* install exacqnetrules version 18.09.20.01
* Set swappiness to 10 to improve performance
* set cron job to kill initctl process once and hour. Ticket #11739
* DHCP timeout reduced to 30 Second in networking.service
* ifplugd package removed from image. Ticket #14765


Version 18.06.15.01

* change .xsession errors attribute from +a to +i


Version 18.04.23.01

* Installation log can now be accessed by admin account


Version 18.04.19.01

* Removed Indicator-datetime #14784
* Added Python-requests package #15197
* Removed fcitx0module-kimpanel #14374
* Added libwebkitgtk package #14771
* Install ExacqLinuxUtilities Version
* Install Exacq Kiosk User Version
* Update libegl1-mesa Client Dependancy Debs #15785
* Set X-Session Errors files to Immutable #15464
* Turn off automatic apt update package list #15432
* Puts MSM Shortcut on Desktop if Missing #15308
* Patch x-session errors files filling up root partition Ticket #15432 15426
* Disable automatic Periodic Updates #15464
* installed exacqlinuxutilities version 18.04.04.02
* install exacqkiosk version 18.04.04.01

<br>

ExacqPacq16-Service-Pack-for-exacqVision-Systems-running-Ubuntu-16.04.pdf
Categories
Knowledge Support Support exacqVision Client Categories Products

exacqVision Export Video File Types

Video may be exported from exacqVision in different formats. The table below illustrates some of the differences in these formats.

File Type Features Table

Multi-Camera: For the purposes of this article, multi-camera means many camera streams are combined into a single exported file. When exporting as .MOV, .AVI, or .MP4 each stream will end up as its own file.

Self-Playing: The .EXE file format bundles the exacqVision ePlayer into the file. This allows the file to be opened and played back on any Windows desktop or server operating system. This file format does not play natively on Ubuntu/Linux or Mac systems.

For more details on .AVI and .MOV usage and codecs, please refer to Article 1925

<br>

Categories
User Guides exacqVision Server Categories Products

Adding Desktop Trash Bin in Ubuntu

Steps below are separated by version. To find your version, open a Terminal CLI using the Menu bar, or pressing CTRL+ALT+T.

Enter one of the following commands will display your version information.

  • cat /etc/issue
  • lsb_release

<br>

Ubuntu 18.04 & 20.04

  1. From the System menu, expand the Look and Feel menu, then select MATE Tweak.
    <br><br>
  2. On the Desktop page, place a check mark in the box beside ‘Trash’.

<br>

Ubuntu 14.04 & 16.04

  1. Ubuntu 14.04 has two options for Desktop trash access. You can enable the trash on the panel bar at the bottom of the Desktop or place an icon on the Desktop.<br><br>
  2. From the Desktop, press Alt-F2. Type in “dconf-editor”and select “Run”.
    <br><br>
  3. In the navigation tree on the left, drill down into org > gnome > nautilus > desktop.<br><br>
  4. Place a check mark in the box next to “trash-icon-visible”
    <br><br>
  5. If you want to place a small Trash icon in the panel bar across the bottom of the Desktop, hold the Alt key and right-click on the panel bar. Select “Add to Panel”
    <br><br>
  6. Scroll down, select Trash and click the Add button.

<br>

Ubuntu 12.04

  1. Ubuntu 12.04 has two options for Desktop trash access. You can enable the trash on the panel bar at the top of the Desktop or place an icon on the Desktop.<br><br>
  2. From the Desktop, select the Applications menu from the top menu bar. Drill down to System Tools > Preferences > Advanced Settings.
    <br><br>
  3. Select Desktop from the left pane. Turn on ‘Trash icon visible on desktop.’
    <br><br>
  4. If you want to place a small Trash icon in the panel bar across the top of the Desktop, hold the Alt key and right-click on the panel bar. Select “Add to Panel”
    <br><br>
  5. Scroll down, select Trash and click the Add button.

<br>

Ubuntu 10.04

  1. Ubuntu 10.04 has two options for a visible trash can. You can enable the trash on the panel bar at the bottom of the Desktop or place an icon on the Desktop.<br><br>
  2. To place a trash icon on the panel bar, right-click on the panel bar and select “Add to Panel”
    <br><br>
  3. Scroll down and select “Trash”, then click the Add button.
    <br><br>
  4. To place an icon on the Desktop, press Alt-F2. Enter “gconf-editor” and select “Run”.
    <br><br>
  5. Drill down into apps > nautilus > desktop. Place a check mark next to “trash_icon_visible”

<br>

Ubuntu 8.04

  1. Ubuntu 8.04 has two options for a visible trash can. You can enable the trash on the panel bar at the bottom of the Desktop or place an icon on the Desktop.<br><br>
  2. To place a trash icon on the panel bar, right-click on the panel bar and select “Add to Panel”
    <br><br>
  3. Scroll down the menu and select “Trash”, then click the Add button.
    <br><br>
  4. To place an icon on the Desktop, press Alt-F2. Enter “gconf-editor” and select “Run”.<br><br>
  5. Drill down into apps > nautilus > desktop. Place a check mark next to “trash_icon_visible”

<br>

Categories
Knowledge Support Support exacqVision Server Categories Products

Manually Testing Email Notifications with cURL

Note: while you can test your profile/server via client’s Test Profile button, you won’t get cURL’s most complete debug information, which can sometimes be very informative when diagnosing notification failures.

<br>

ExacqVision Server versions 6.8 and higher use cURL to send notifications. If you are experiencing failures in sending notifications from the servers you may find error codes in the ExacqVision logs indicating the problem. In performing manual testing, you can remove ExacqVision from the equation and test only the cURL mechanism used to send notifications to your SMTP server using the following steps:

  1. Open a CMD prompt in Windows or Terminal on Ubuntu/Linux<br><br>
  2. Navigate to the ExacqVision Server directory with the cd command.

    Windows 32-bit – C:\Program Files (x86)\exacqVision\Server
    Windows 64-bit – “C:\Program Files\exacqVision\Server”
    Ubuntu – “/usr/local/exacq/server” <br><br>
  3. Enter the following command string into the CMD prompt window, replacing with the details of your SMTP server and account:
    curl smtps://url -v --mail-from "from-address@domain" --mail-rcpt "to-address@domain" -u useraccount:password -T "samplefile.txt" -k --anyauth --connect-timeout 60 --stderr
    <br><br>As an example, the above command with the proper credentials would look like the following:
    curl smtps://smtp.gmail.com:465 -v --mail-from "notifyme@gmail.com" --mail-rcpt "user@company.com" -u notifyme@gmail.com:P@ssw0rd -T "C:\Users\anyuser\Desktop\test.txt" -k --anyauth --connect-timeout 60 --stderr
    <br>Here’s an example of the text file:

    {{{
    To: user1@company.com
    To: user2@company.com
    Cc: user3@company.com
    Cc: user4@company.com
    Subject: Test subject
    Body of message.
    }}}

<br>

Notes

  • When testing on Ubuntu/Linux you must use the absolute file path to curl: (/usr/local/exacq/server/curl smtps://url...)<br><br>
  • Because this contains the -v option the output will be verbose. Any errors will be shown as well as any successes. cURL error code meanings can be found online.<br><br>
  • cURL errors can be looked up here.<br><br>
  • SMTP errors can be looked up here.

<br>

Considerations for Gmail

  • Gmail ALWAYS requires SSL. If you attempt to use without SSL, you will likely get:
    curl: (55) MAIL failed: 530<br><br>
  • With SSL, the following error is possible if Gmail is not configured with an App Password.
    curl: (67) Login denied<br><br>
  • Gmail will require an App Password be configured for ExacqVision to send notifications.

<br>