Johnson Controls Exacq Technologies exacqVision

Act Now7ICS-CERT ICSA-21-119-03Apr 29, 2021

Attack VectorLocal

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

A local attacker with non-administrative user access to an exacqVision appliance can exploit a privilege escalation vulnerability to obtain Super User (root) access to the underlying Ubuntu Linux operating system. This affects all exacqVision product lines including Z-Series, A-Series, Q-Series, G-Series, Legacy LC-Series, Legacy ELP-Series, Network Video Recorders (NVR), C-Series Workstations, and S-Series Storage Servers. No patch is available from the vendor.

What this means

What could happen

An attacker with local user access to an exacqVision appliance could gain root control of the system, allowing them to disable video recording, modify system logs, alter recordings, or disrupt the video surveillance infrastructure that may be used for physical security monitoring.

Who's at risk

Water utilities, municipalities, and critical infrastructure operators using exacqVision video surveillance systems should care about this vulnerability. It affects all exacqVision product lines used for physical security monitoring: Z-Series and A-Series recorders, Q-Series, G-Series, legacy LC-Series and ELP-Series systems, Network Video Recorders (NVR), C-Series Workstations, and S-Series Storage Servers. Any facility relying on exacqVision for surveillance of critical infrastructure, access points, or incident investigation is at risk.

How it could be exploited

An attacker with a low-privilege local user account on an exacqVision appliance (such as a technician or guest account) can exploit a privilege escalation flaw in the Ubuntu Linux configuration to execute commands with Super User privileges. The attack requires local shell access and moderate effort to exploit, but once successful grants complete system control.

Prerequisites

Local user account on the exacqVision appliance
Shell access to the device
Knowledge of the specific privilege escalation technique (high attack complexity indicates non-trivial exploitation)

actively exploited (KEV)no patch available from vendorhigh EPSS score (92.5%)affects surveillance/security systemslocal privilege escalation to root access

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (8)

8 EOL

ProductAffected VersionsFix Status

exacqVision - Q-SeriesQ-SeriesNo fix (EOL)

exacqVision - G-SeriesG-SeriesNo fix (EOL)

exacqVision - Legacy LC-SeriesLegacy LC-SeriesNo fix (EOL)

exacqVision - Legacy ELP-SeriesLegacy ELP-SeriesNo fix (EOL)

exacqVision - Linux based C-Series WorkstationsLinux based C-Series WorkstationsNo fix (EOL)

exacqVision - S-Series Storage ServersS-Series Storage ServersNo fix (EOL)

exacqVision - Linux based Z-Series and A-SeriesLinux based Z-Series and A-SeriesNo fix (EOL)

exacqVision - exacqVision Network Video Recorders (NVR)exacqVision Network Video Recorders (NVR)No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HOTFIXInstall the latest Ubuntu Linux security updates on all exacqVision appliances

HARDENINGApply the least-privilege user principle: restrict local user accounts to only those with business need and minimize permissions granted to service accounts

HARDENINGImplement physical access controls and logical access controls to limit who can obtain local shell access to exacqVision appliances

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDContact Exacq technical support to determine Ubuntu update compatibility with your specific exacqVision models and firmware versions before deploying patches

CVEs (1)

CVE-2021-3156

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/575dca50-7281-4c54-85c9-1f12375424a1