OTPulse
FeedAboutContact

Johnson Controls VideoEdge

Monitor5.3ICS-CERT ICSA-22-011-01Jan 11, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in Johnson Controls VideoEdge NVRs (versions 5.4.1 through 5.7.1) allows a remote attacker without authentication to cause a denial of service. Running a vulnerability scanner or sending a crafted request against the device causes some functions to stop responding. Johnson Controls recommends upgrading to Version 5.9 or later. Hotfixes are available for affected versions through American Dynamics technical support.

What this means
What could happen
A vulnerability scanner or specially crafted network request can cause the VideoEdge NVR to lose some functionality, potentially interrupting video recording or monitoring capabilities during the outage.
Who's at risk
Water utilities and municipal electric companies using Johnson Controls VideoEdge network video recorders (NVRs) for physical security monitoring of critical infrastructure assets like substations, treatment facilities, and water storage sites should update their systems.
How it could be exploited
An attacker on the network sends a malformed request to the VideoEdge NVR (vulnerability details not specified in advisory, but triggered by scanner activity). The device fails to handle the request properly and stops responding to normal operations.
Prerequisites
  • Network access to the VideoEdge NVR device
  • No authentication required to trigger the DoS condition
Remotely exploitableNo authentication requiredDenial of service impact on security monitoringAffects versions 5.4.1 through 5.7.1
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
VideoEdge:≥ 5.4.1 | ≤ 5.7.15.9
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGIsolate the VideoEdge NVR behind a firewall and keep it off the business network to prevent unauthorized scanner access
WORKAROUNDRestrict network access to VideoEdge to only authorized management and monitoring workstations
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade VideoEdge to Version 5.9 or later
HOTFIXContact American Dynamics technical support for hotfixes available for Versions 5.4.1 through 5.7.1 if immediate upgrade is not possible
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/26f644d5-f72b-452b-81dd-64cb1490134a
Johnson Controls VideoEdge | CVSS 5.3 - OTPulse