How to remediate – Johnson Controls exacqVision Web Service Detection

1. Introduction

The Johnson Controls exacqVision Web Service Detection vulnerability identifies a running web application for video management on a remote host. This service allows users to view live and recorded video, as well as control camera functions via a web browser. Its presence indicates a potential exposure point for attackers seeking access to surveillance systems. A successful exploit could compromise the confidentiality, integrity, and availability of video data and connected cameras.

2. Technical Explanation

The Johnson Controls exacqVision Web Service is a web application that provides remote access to video management features. The vulnerability lies in the presence of this exposed service, which may be accessible without proper authentication or security measures. An attacker could potentially exploit vulnerabilities within the web service itself to gain unauthorized access to the system. There is no known CVE associated with simply running the service; however, any unpatched flaws within exacqVision are exploitable through remote means.

• Root cause: The presence of an exposed web application interface for video management without sufficient security controls.
• Exploit mechanism: An attacker could attempt to exploit known vulnerabilities in the exacqVision Web Service, such as default credentials or unpatched flaws, to gain access to live and recorded video feeds, control camera functions, or compromise the underlying system.
• Scope: Johnson Controls exacqVision servers running the web service are affected. Specific versions depend on installed software and patches.

3. Detection and Assessment

To confirm whether a system is vulnerable, first check for the presence of the exacqVision Web Service. A thorough assessment involves identifying the version number and any known vulnerabilities associated with that version.

• Quick checks: Attempt to access the web service via a web browser using the default port 80 or 443. If accessible, it indicates the service is running.
• Scanning: Nessus plugin ID 16729 can identify exacqVision systems. This should be used as an example only and may require updates to remain accurate.
• Logs and evidence: Examine web server logs for requests related to exacqVision, indicating access attempts or activity.

nmap -p 80,443 

4. Solution / Remediation Steps

The primary solution is to secure the exacqVision Web Service or remove it if not required. This involves implementing strong authentication, keeping the software updated, and restricting access.

4.1 Preparation

• Services: No services need to be stopped for initial assessment but may be needed during patching or configuration updates.
• Roll back plan: Revert any configuration changes or restore from the backup if issues arise.

4.2 Implementation

1. Step 1: Review the exacqVision documentation for security best practices and recommended configurations.
2. Step 2: Change default credentials for all user accounts associated with the web service.
3. Step 3: Update the exacqVision software to the latest version, including any available security patches.
4. Step 4: Restrict access to the web service using firewalls or network segmentation.

4.3 Config or Code Example

Before

# Default credentials (example)
Username: admin
Password: password

After

# Strong, unique credentials
Username: 
Password: 

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help mitigate this vulnerability type. Least privilege limits the impact of a successful exploit. Input validation prevents malicious data from being processed, and secure defaults reduce the risk of misconfiguration.

• Practice 1: Implement least privilege access controls to limit user permissions within the exacqVision system.
• Practice 2: Regularly update software and apply security patches to address known vulnerabilities.

4.5 Automation (Optional)

Automation is not directly applicable for this vulnerability, as it requires configuration changes specific to the exacqVision system.

5. Verification / Validation

Confirm the fix by verifying that strong authentication is enabled and that the software has been updated to the latest version. Perform a smoke test to ensure core functionality remains operational.

• Post-fix check: Attempt to log in using the new, strong credentials. Successful login confirms the change.
• Re-test: Re-run the initial access attempt via a web browser; it should now require valid authentication.
• Monitoring: Monitor logs for failed login attempts or unusual activity related to the exacqVision Web Service.

# Example command to check service status (may vary)
systemctl status exacqvision

6. Preventive Measures and Monitoring

Update security baselines to include strong authentication requirements for video management systems. Implement regular patch cycles to address known vulnerabilities promptly.

• Baselines: Update your security baseline or policy to require strong passwords and multi-factor authentication for all remote access services, including exacqVision.
• Asset and patch process: Establish a regular patch review cycle (e.g., weekly or monthly) to ensure timely application of security updates for all systems.

7. Risks, Side Effects, and Roll Back

Changing default credentials may disrupt existing integrations that rely on those credentials. Updating the software could introduce compatibility issues with other systems. If issues arise, revert any configuration changes or restore from the backup.

• Risk or side effect 1: Disruption of existing integrations due to credential changes; mitigate by testing changes in a non-production environment first.

8. References and Resources

• Vendor advisory or bulletin: https://www.exacq.com/support/manspecs/