Tag: Vulnerability

Support procedure for reporting newly discovered cyber security vulnerabilities in Exacq Software

Post author By Brandon Powell
Post date July 17, 2023

This document will outline the procedures expected from Exacq Support staff in the event of discovering a previously unreported security vulnerability in an exacqVision product.

Product

Any exacqVision product

Procedure:

Verify the vulnerability has not already been properly reported at: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
Email the GPS (Global Product Security) team at: productsecurity@jci.com
- Provide vulnerability analysis in this email and any relevant links
- Provide customer details and contact information in this email
- Provide software product and software versions in this email
- CC the customer on the email
Inform the customer you have notified the appropriate team (GPS) and will be closing the Support ticket.

Our Global Product Security team will then be responsible for following up with this customer and resolving vulnerability.

<br>

Tags 16441, Security, Cybersecurity, Cyber Attacks, Cyber-security, Vulnerability, Cyber Security, Level2, Vulnerability Scan, Security Advisory, Product Security, Global Product Security

Knowledge Support Support Categories exacqVision Hardware

Removing MegaRAID Storage Manager(MSM)

Post author By Tom Oakes
Post date August 23, 2022

Description

MegaRAID Storage Manager (MSM) has been found to have some exposure to CVE-2021-44228, the Apache Log4j remote code execution vulnerability, see statement from Broadcom Log4j2 Exposure (CVE-2021-44228). It is possible that MSM was installed on your exacqVision NVR even though a RAID controller card is not present. If that is the case MSM can be uninstalled using the following instructions.

NOTE: If the NVR has a RAID controller card please see one of our Replacing MegaRAID Storage Manager (MSM) Knowledge Base Articles for other options.

Products

Windows 10 (x64)
Windows Server 2016 (x64)
Windows Server 2019 (x64
Ubuntu 16.04 LTS and Earlier
Ubuntu 18.04 LTS
Ubunutu 20.04 LTS

Uninstalling MSM on Windows

Press the Windows key on keyboard to open the Start menu
Locate and select MegaRAID Storage Manager
Expand and select Uninstall
Confirm that you want to remove MegaRAID Storage Manager
Right click on MegaRAID Manager icon on desktop and click “Delete”

Uninstalling MSM on Linux

Double-click the Terminal icon on the desktop
Elevate to root using sudo -i
Remove the MSM package using dpkg -r
Ensure that the dpkg command completes with no errors.
Close the Terminal window

Tags Guest, Vulnerability, MegaRAID, LSI MSM, Linux/Ubuntu, Microsoft Windows Operating System, log4j, 12508, SFA000035441

Knowledge Support Support exacqVision Enterprise exacqVision Client exacqVision Server exacqVision Mobile exacqVision Webservice Categories Products

Does exacqVision Require Microsoft Silverlight?

Post author By Bhargav Atturu
Post date March 11, 2022

Summary

Microsoft Silverlight was installed on exacqVision Servers as part of Kantech Entrapass Web and has been flagged by vulnerability scans.

Description

Microsoft Silverlight reached the end of support on October 12, 2021.

Product

exacqVision Server
Kantech Entrapass Web
Microsoft Silverlight

Solution

If you are not utilizing Kantech Entrapass Web then Microsoft Silverlight can simply be uninstalled.
If you are using Kantech Entrapass Web, newer versions are available which no longer require Microsoft Siverlight.
See also: https://docs.johnsoncontrols.com/kantech/r/Kantech/en-US/EntraPass-Corporate-Edition-Administration-Guide/8.00/EntraPass-Help/EntraPass-web/EntraPass-web-8.00
Contact Kantech Technical Support for details https://kantech.com/Support/Contact_Technical_Support.aspx

Tags Guest, Kantech, Vulnerability, Microsoft Silverlight, Silverlight, 7072, SFA000034480

Knowledge Support Support exacqVision Enterprise

Updating Apache and Apache Solr on exacqVision Enterprise Manager – Windows

Post author By Tom Oakes
Post date January 5, 2022

To mitigate currently known vulnerabilities, the following updates are recommended. Apache to 2.4.51, Apache Solr to 7.5.0 and exacqVision Enterprise Manager (EM) to 21.12.1 or higher.

Note: Updates for both Apache and Apache Solr are available as part of the EM install package for version 21.09 and higher. However, updating to EM versions 21.12 or higher is recommended as this will also address the Log4j vulnerability.

WARNING: You must update EM manually i.e. download from our site and then launch the installer directly. The optional updates will not be prompted for if any other update method is used. Once the updates are in place future updates can be launched from the dashboard.

ALERT: If previous modifications have been made to the default configuration settings such as adding a certificate and key for SSL they will need to be reapplied. See Recover custom settings section below.

Determine the current version of Apache

Open and administrative Command Prompt
Navigate to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\bin
Run the command httpd.exe -v
Make note of the Server Version

Determine the current version of Apache Solr

Open a browser and go to http://127.0.0.1:8983/solr/#
Make note of the Version

Determine the current version of exacqVision Enterprise Manager

From the EM dashboard
Click the Information icon in the upper right-hand corner
Select About
Make note of the Version

Install exacqVision Enterprise Manager

Download the 64-bit Enterprise Manager installer for Windows from our site at https://exacq.com/support/downloads.php. Note: 32-bit updates are not supported.
Launch the installer
During the install you will be prompted to update Apache Solr 7.5.0 and/or Apache 2.4.51 it is recommended that you check both.
A backup folder is created for folders being replaced by each update.
By default, the newly created backup folders will be located at:
C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old
C:\Program Files\exacqVision\EnterpriseManager\apache2.old
Using the instructions provided earlier verify the versions of Apache, Apache-Solr and Enterprise Manager have changed to confirm the updates.

Note: Resource utilization may be high for a period of time after the update as reindexing is performed.

Recover custom settings (Optional)

As previously mentioned, the updates will overwrite any previous configuration changes. However, those settings were backed up as part of the update. By default, they are located at C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old

Copy the file httpd-ssl.conf
from C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old\apache2\conf\extra\
to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\extra
Copy httpd.conf
from C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old\apache2\conf\
to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\
Copy server.crt
from C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old\apache2\conf\
to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\
Copy server.key
from C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old\apache2\conf\
to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\
Restart the solrApache Service

RESTORE (SPECIAL CASE)

When restoring EM to a previous version that used Apache Solr 6.6.0 or earlier it is necessary to manually restore an Apache Solr backup containing the targeted version of Apache Solr for that install. Note: If a backup does not exist a restore cannot be performed.

To perform a restore first determine the version of the apache_solr backup which is appropriate.
Stop all exacqVision Enterprise Manager service including solrApache and solrJetty.
Copy the existing C:\Program Files\exacqVision\EnterpriseManager\apache_solr folder to a safe location renaming it as appropriate
Replace with the apache_solr backup folder
Start all exacqVision Enterprise Manager service including solrApache and solrJetty.

Notes

The presence of Log4j files in C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache-solr\server\resources does not mean there is a vulnerability ensure the version of apache is either 2.4.51 or 7.5.0.

Related Trac Tickets

https://trac.exacq.com/DVR/ticket/23311 “Fix Log4j vulnerability in Apache Solr – CVE-2021-44228”
https://trac.exacq.com/DVR/ticket/23188 “Update Apache to 2.4.51”
https://trac.exacq.com/DVR/ticket/23062 “Apache Solr incremental update to 7.5.0”

Tags Updating EM, 6678, log4j, Apache Solr, Apache, Vulnerability, Level2

Knowledge Support Support Categories exacqVision Webservice Products Uncategorized

An Unauthenticated Remote User Could be Given Access to Credentials Stored in the Server

Post author By Bhargav Atturu
Post date October 4, 2021

Overview:

Johnson Controls has confirmed a vulnerability impacting the exacqVision Web Service. The exacqVision Web Service is also included in the exacqVision Server Bundle along with the exacqVision Client and exacqVision Server. The exacqVision Web Service allows users to retrieve video and other data from exacqVision servers using a browser and mobile application. When passthrough / unauthenticated access is enabled, credentials for other systems connected to exacqVision could be exposed.

Impact:

Under certain configurations an unauthenticated remote user could be given access to credentials stored in the exacqVision Server.

Affected Versions:

exacqVision Web Service version 21.06.11.0 or older.

Mitigation:

Upgrade exacqVision Web Service to version 21.09.
Current users can obtain the critical software update from the Software Downloads location at: https://www.exacq.com/support/downloads.php

Resources:

JCI Cyber Solutions Product Security Advisories Website JCI‐PSA‐2021‐16 JCI-PSA-2021-16.docx (johnsoncontrohttps://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2021/jci-psa-2021-16.pdf?la=en&hash=46C02304209410715E488DF9B74EDCA45FFCB908ls.com)
Common Vulnerabilities & Exposures (CVE) CVE-2021-27664 – National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) https://nvd.nist.gov/vuln/detail/CVE-2021-27664 (RESERVED but not posted yet) or MITRE CVE® List https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27664 (RESERVED but not posted yet)
Cybersecurity & Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) Advisories ICSA‐21‐280‐01 https://us-cert.cisa.gov/ics/advisories/icsa-21-280-01

Tags JCI‐PSA‐2021‐16, CVE-2021-27664, ICSA‐21‐280‐01, Vulnerability, Internal, version 21.09, 6435

Knowledge Support Support exacqVision Server Categories Products

An Unauthenticated Remote User Could Exploit a Potential Integer Overflow Condition in the Server and Cause DoS

Post author By Bhargav Atturu
Post date October 4, 2021

Overview:

Johnson Controls has confirmed a vulnerability impacting Exacq Technologies exacqVision. The exacqVision Server is also included in the exacqVision Server Bundle along with the exacqVision Client and exacqVision Web Service. Under certain circumstances an integer overflow condition could exist in the exacqVision Server.

Impact:

An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause Denial of Service (DoS).

Affected Versions:

exacqVision Server 32‐bit version 21.06.11.0 or older.

Mitigation:

Upgrade exacqVision Server 32‐bit to version 21.09 or Upgrade to exacqVision Server 64‐bit.
Current users can obtain the critical software update from the Software Downloads location at: https://www.exacq.com/support/downloads.php

Resources:

JCI Cyber Solutions Product Security Advisories Website JCI‐PSA‐2021‐18 https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2021/jci-psa-2021-18.pdf?la=en&hash=D5577A925D77BDFA025AAB3708AACC1A0B62AF67
Common Vulnerabilities & Exposures (CVE) CVE‐2021‐27665 – National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) https://nvd.nist.gov/vuln/detail/CVE-2021-27665 (RESERVED but not posted yet) or MITRE CVE® List https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27665 (RESERVED but not posted yet)
Cybersecurity & Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) Advisories ICSA‐21‐280‐03 https://us-cert.cisa.gov/ics/advisories/icsa-21-280-03

Tags ICSA‐21‐280‐03, Vulnerability, Level2, 6418, version 21.09, 32‐bit version 21.06.11.0 or older, Denial of Service (DoS), Integer Overflow Condition, CVE‐2021‐27665, JCI‐PSA‐2021‐18

Knowledge Support Support Categories exacqVision Webservice Products

An authenticated exacqVision Web Service user could access a web page that does not properly preserve the web page structure.

Post author By Bhargav Atturu
Post date June 25, 2021

Overview

An authenticated exacqVision Web Service user could access a web page that does not properly preserve the web page structure.

Impact

The software does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed as output that is used as a web page that is served to other users.

Affected Versions

All versions of exacqVision Web Service up to and including 21.03.

Mitigation

Upgrade all previous versions of exacqVision Web Service to the latest version of 21.06+.

Current users can obtain the critical software update from the Software Downloads location at https://www.exacq.com/support/downloads.php.

Resources

Cyber Solutions Website – https://www.johnsoncontrols.com/cyber-solutions/security-advisories
CVE-2021-27659 – NIST National Vulnerability Database (NVD) https://nvd.nist.gov/vuln/detail/CVE-2021-27659 and MITRE CVE® https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27659

Tags exacqVision Web Service, Vulnerability, Level2, version 21.03, 5930, CVE-2021-27659, fixed in 21.06+

Knowledge Support Support exacqVision Enterprise Categories Products

An authenticated exacqVision Enterprise Manager user could access a web page that does not properly preserve the web page structure.

Post author By Bhargav Atturu
Post date June 24, 2021

Overview

An authenticated exacqVision Enterprise Manager user could access a web page that does not properly preserve the web page structure.

Impact

The software does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed as output used as a web page that is served to other users.

Affected Versions

All versions of exacqVision Enterprise Manager up to and including version 20.12.

Mitigation

Upgrade all previous versions of exacqVision Enterprise Manager to the latest version 21.03+.

Current users can obtain the critical software update from the Software Downloads location https://www.exacq.com/support/downloads.php?section=esm

Resources

Cyber Solutions Website – https://www.johnsoncontrols.com/cyber-solutions/security-advisories JCI-PSA-2021-08
CVE-2021-27658 – NIST National Vulnerability Database (NVD) https://nvd.nist.gov/vuln/detail/CVE-2021-27658 and MITRE CVE® https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27658

Tags Vulnerability, Level2, 5890, exacqVision Enterprise Manager, CVE-2021-27658, version 21.03

Knowledge Support Documentation Support exacqVision Enterprise

PostgreSQL 9.6 End of Life

Post author By Tom Oakes
Post date May 24, 2021

PostgreSQL 9.6 is currently bundle with exacqVision Enterprise Manager. This version will reach end of life in November 2021.

The PostgreSQL Global Development Group will release the final update for 9.6 on November 11, 2021. See their versioning page for details at https://www.postgresql.org/support/versioning/

AWS has announced PostgreSQL 9.6 on will reach end of life on January 31, 2022. See the forum announcement at https://forums.aws.amazon.com/ann.jspa?annID=8512 for more details.

Preparation and testing for a migration to a newer version of PostgreSQL is ongoing and will be bundled in exacqVision Enterprise Manager.

Tags Guest, Enterprise System Manager, EM, PostgreSQL, Vulnerability, 5635

Knowledge Support Support Categories Products exacqVision Hardware

Product Security Advisory – CVE-2021-3156

Post author By Bill Stovall
Post date April 30, 2021

Overview
Ubuntu recently announced security vulnerabilities that impact the exacqVision Network Video Recorder versions which use the Ubuntu Linux operating system. These affect a built-in Linux application called “Sudo” which controls the provisioning of super user (administrator) access to the operating system which, under certain circumstances, could be leveraged by an attacker to achieve unauthorized privilege escalation. Johnson Controls recommends that customers apply the Ubuntu security updates to all affected exacqVision product deployments.

Impact
Under specific circumstances, a local attacker could use this issue to obtain unintended super user access to the underlying Ubuntu operating system.

Affected Versions
exacqVision is available in both Windows and Linux versions. This issue affects all unpatched versions of the Ubuntu operating system used on Linux based Z-Series and A-Series and all Q-Series, G-Series, Legacy LC-Series, and Legacy ELP-Series exacqVision Network Video Recorders (NVR), as well as Linux based C-Series Workstations and all S-Series Storage Servers.

Mitigation
Install the latest security updates for the Ubuntu operating system. Users may contact exacqVision technical support for assistance with updating their operating system.
https://exacq.com/support/techsupport/

Initial Publication
April 29, 2021

Last Published
April 29, 2021

Resources
Cyber Solutions Website – https://www.johnsoncontrols.com/cyber-solutions/security-advisories
CVE-2021-3156 – NIST National Vulnerability Database (NVD) and MITRE CVE® List
ICSA-21-119-03 – CISA ICS-CERT Advisories
Ubuntu Security Notice 1 – https://ubuntu.com/security/notices/USN-4705-1
Ubuntu Security Notice 2 – https://ubuntu.com/security/notices/USN-4705-2

Ubuntu 18.04 and 16.04 Update Instructions

From the Ubuntu Desktop, click on “Applications > System Tools > Terminal”

Ensure your system can access the internet. Run the following command to update the available software from Ubuntu’s repository.

sudo apt upgrade

To update all packages (including kernel updates), run the following command:

sudo apt dist-upgrade

NOTE: Alternatively, to only update what’s necessary to address this vulnerability, run the following command:

sudo apt upgrade sudo

You will be prompted asking if you would like to continue, type ‘Y’ and hit ‘Enter’.

Tags Guest, Linux, Ubuntu, Vulnerability, 5079, CVE-2021-3156