NVD Vulnerability Detail

CVE-2019-7590

Summary	ExacqVision Server’s services 'exacqVisionServer', 'dvrdhcpserver' and 'mdnsresponder' have an unquoted service path. If an authenticated user is able to insert code in their system root path it potentially can be executed during the application startup. This could allow the authenticated user to elevate privileges on the system. This issue affects: Exacq Technologies, Inc. exacqVision Server 9.6; 9.8. This issue does not affect: Exacq Technologies, Inc. exacqVision Server version 9.4 and prior versions; 19.03. It is not known whether this issue affects: Exacq Technologies, Inc. exacqVision Server versions prior to 8.4.
Publication Date	July 20, 2019, 6:15 a.m.
Registration Date	Jan. 26, 2021, 11:44 a.m.
Last Update	Nov. 21, 2024, 1:48 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:johnsoncontrols:exacqvision_server:9.8:::::::*
cpe:2.3:a:johnsoncontrols:exacqvision_server:9.6:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/109307	Third Party Advisory VDB Entry
2	https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341	Patch Third Party Advisory
3	https://packetstormsecurity.com/files/152128/exacqVision-9.8-Unquoted-Service-Path-Privilege-Escalation.html	Exploit Third Party Advisory VDB Entry
4	https://www.johnsoncontrols.com/cyber-solutions/security-advisories	Mitigation Vendor Advisory
5	https://www.us-cert.gov/ics/advisories/icsa-19-199-01	Third Party Advisory US Government Resource
6	https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5515.php	Third Party Advisory
7	http://www.securityfocus.com/bid/109307	Third Party Advisory VDB Entry
8	https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5515.php	Third Party Advisory
9	https://www.us-cert.gov/ics/advisories/icsa-19-199-01	Third Party Advisory US Government Resource
10	https://www.johnsoncontrols.com/cyber-solutions/security-advisories	Mitigation Vendor Advisory
11	https://packetstormsecurity.com/files/152128/exacqVision-9.8-Unquoted-Service-Path-Privilege-Escalation.html	Exploit Third Party Advisory VDB Entry
12	https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341	Patch Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-428	引用されない検索パスまたは要素	https://cwe.mitre.org/data/definitions/428.html

JVN Vulnerability Information

ExacqVision Server における引用されない検索パスまたは要素に関する脆弱性

Title	ExacqVision Server における引用されない検索パスまたは要素に関する脆弱性
Summary	ExacqVision Server には、引用されない検索パスまたは要素に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 28, 2019, midnight
Registration Date	Aug. 5, 2019, 5:37 p.m.
Last Update	Aug. 5, 2019, 5:37 p.m.

Affected System

ジョンソンコントロールズ

ExacqVision Server 9.6

ExacqVision Server 9.8

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2019-7590	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7590
National Vulnerability Database (NVD)
2	CVE-2019-7590	https://nvd.nist.gov/vuln/detail/CVE-2019-7590

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-428	https://cwe.mitre.org/data/definitions/428.html

ベンダー情報

No	Name	URL
Johnson Controls
1	2019 Product Security Advisories	https://www.johnsoncontrols.com/cyber-solutions/security-advisories

その他

No	Name	URL
ICS-CERT ADVISORY
1	ICSA-19-199-01	https://www.us-cert.gov/ics/advisories/icsa-19-199-01
関連文書
2	Microsoft Windows Unquoted Service Path Enumeration	https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341

Change Log

No	Changed Details	Date of change
1	[2019年08月05日] 掲載	Aug. 5, 2019, 5:37 p.m.