Researchers at cybersecurity firm Tenable have discovered critical and high-severity vulnerabilities in video surveillance systems made by Exacq Technologies, which is owned by building technology giant Johnson Controls.
Tenable’s Zero-Day Research Team discovered two security flaws in the exacqVision web service used by Exacq products. Advisories describing the vulnerabilities were published recently by Tenable, Johnson Controls [1,2], and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
According to Tenable, the affected web service is designed to allow users to fetch video and other data from exacqVision servers using a web browser. The web service acts as an intermediary between the web client and the server.
Tenable researchers discovered that if the exacqVision server is configured with a so-called passthrough account, which can be used to remotely connect to the server, an unauthenticated attacker can abuse it to access the server with the privileges of this passthrough account.
“If the passthrough account has high privileges (i.e., Full Admin role), the attacker can have more access to the exacqVision server, including adding a user with Full Admin role,” Tenable explained in its advisory. “Even if the passthrough account has low privileges (i.e., Restricted role), the attacker can still see more privileged information. For example, only a user in the Full Admin or Power User role can configure video archiving, but a lower privileged user can see the Direct Search username and password that is part of the archiving configuration.”
The second vulnerability has been described as a DoS issue that can be exploited by a remote, unauthenticated attacker to crash a server by sending specially crafted messages.
Tenable told SecurityWeek that attacks can be launched directly from the internet against systems that are accessible from the internet, but the company could not provide any information regarding the exposure level of these systems.
“If an attacker were to find a vulnerable instance of the exaqVision software exposed to the internet, they would potentially be able to obtain administrative level access to the software without authentication. This would allow them to make configuration changes, steal data, disrupt access to the exaqVision software, or disable it entirely,” Tenable explained.
The vulnerabilities were reported to the vendor in late July and patches were developed roughly one month later. According to Johnson Controls, the vulnerabilities affect the 32-bit version of exacqVision Server 21.06.11.0 and older. Users can update to version 21.9 or upgrade to the 64-bit version to prevent exploitation of the flaws.