Johnson Controls exacqVision client and exacqVision server

Plan PatchCVSS 8.3ICS-CERT ICSA-24-214-01Aug 1, 2024

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

A vulnerability in Johnson Controls exacqVision Client and Server due to insufficient encryption key length and exchange procedures allows an attacker with network access to the communications channel to decrypt data transmitted between the server and client. The vulnerability affects the confidentiality of communications, potentially exposing surveillance feeds, credentials, and access control information. While this has high attack complexity and no known public exploitation, the impact to surveillance system confidentiality is significant.

What this means

What could happen

An attacker could decrypt communications between the exacqVision Server and Client, potentially intercepting video surveillance feeds, access credentials, or other sensitive data transmitted between these components. This could expose facility access control information and compromise the integrity of security monitoring systems.

Who's at risk

Facilities managers and security teams operating Johnson Controls exacqVision video surveillance systems should be concerned. This affects all organizations using exacqVision for physical security monitoring, access control integration, or facility surveillance regardless of installation size or industry vertical.

How it could be exploited

An attacker with network access to the communication channel between exacqVision Server and Client could passively intercept encrypted traffic. Because the encryption uses insufficient key length, the attacker could perform cryptanalysis to decrypt the communications without needing valid credentials or authentication, revealing the plaintext data flowing between these systems.

Prerequisites

Network access to communications between exacqVision Server and Client (can be on-site or via compromised internal network segment)
Ability to capture encrypted traffic (network sniffing or man-in-the-middle position)
Computational resources to perform cryptanalysis on weak encryption scheme

Weak encryption (insufficient key length)No patch currently available for deployed systemsAffects security-critical communicationsRequires network access but no authentication

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

exacqVision server: vers:all/*All versions24.06+

exacqVision client: vers:all/*All versions24.06+

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate exacqVision Client and Server to version 24.06 or later

Long-term hardening

0/3

HARDENINGFollow password strengthening guidance in the exacqVision Hardening Guide

HARDENINGSegment exacqVision infrastructure behind firewalls, isolating surveillance network from business networks and internet

HARDENINGImplement network monitoring to detect unauthorized access attempts to exacqVision Server and Client

CVEs (1)

CVE-2024-32758

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b3e1bbb4-9a9b-4348-a0c5-beb468f34dc1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.