Infrastructure Briefing — exacqVision signature bypass enables OS command execution

Executive briefing: CISA’s update to ICSA-20-170-01 notes that exacqVision skipped cryptographic verification when downloading executables. The advisory warns that “successful exploitation of this vulnerability could allow an attacker with administrative privileges to potentially download and run a malicious executable that could allow the execution of operating system commands on the system.”

Immediate containment

• Apply the vendor patch. Johnson Controls issued Product Security Advisory JCI-PSA-2020-7 v2; upgrade to the patched exacqVision releases to enforce signature checks.
• Limit admin access. Restrict exacqVision console and server administration to dedicated management jump hosts and remove dormant privileged accounts that could be abused to stage unsigned executables.
• Monitor for anomalous downloads. Capture update traffic and alert on unexpected executable retrievals from exacqVision hosts until patched.

Program follow-through

• Patch validation. After upgrading, verify signature enforcement by attempting to sideload a tampered package in a lab environment.
• Change control. Require maintenance windows for video management servers to minimize operational disruption during patching.
• Asset inventory. Track which camera management nodes use the embedded updater and ensure all instances inherit the fixed package.

Source excerpts

Primary — exploit description: “Successful exploitation of this vulnerability could allow an attacker with administrative privileges to potentially download and run a malicious executable that could allow the execution of operating system commands on the system.”

CISA ICSA-20-170-01 (Johnson Controls exacqVision)

Primary — vulnerability cause: “The software does not verify the cryptographic signature for data, which could allow an attacker with administrative privileges to download and run a malicious executable.”

CISA ICSA-20-170-01 (Johnson Controls exacqVision)