GRI

ICS Advisory: Qognify NiceVision

News Cybersecurity English Guidance
Date: 5th Oct, 2023 Source: Cybersecurity and Infrastructure Security Agency Country: USA Original Source

Brief

Summary:

The provided document is a View CSAF (Cybersecurity and Infrastructure Security Agency Fix) report on a vulnerability in the Qognify NiceVision IP-video surveillance system. The vulnerability, CVE-2023-2306, allows attackers to access sensitive information using hard-coded credentials, affecting versions 3.1 and prior of NiceVision. The CVSS v3 base score is 10.0, indicating high severity. Qognify has released a patched version, v3.2 UP2 HF2, and recommends users minimize network exposure and use secure remote access methods. The Cybersecurity and Infrastructure Security Agency (CISA) recommends implementing defensive measures, performing risk assessments, and following cybersecurity best practices to mitigate the vulnerability.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 10.0
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Qognify
  • Equipment: NiceVision
  • Vulnerability: Use of Hard-coded Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to retrieve sensitive information about the cameras managed by the platform and its users.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Qoginfy NiceVision, an IP-video surveillance system, are affected:

  • NiceVision: v3.1 and prior

3.2 Vulnerability Overview

3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798

Qognify NiceVision versions 3.1 and prior are vulnerable to exposing sensitive information using hard-coded credentials. With these credentials an attacker can retrieve information about the cameras, user information, and modify database records.

CVE-2023-2306 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Roni Gavrilov of OTORIO reported this vulnerability to CISA.

4. MITIGATIONS

Qognify has released NiceVision v3.2 UP2 HF2. The latest release is available to customers who have an active SMA (Service Maintenance Agreement) with Qognify.

For more information contact Qognify.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • October 05, 2023: Initial Publication

Highlights content goes here...

Summary:

The View CSAF document provides information on a critical vulnerability in the Qognify NiceVision IP-video surveillance system. The vulnerability, designated as CVE-2023-2306, is rated CVSS v3 10.0, indicating a high severity rating. The vulnerability allows an attacker to retrieve sensitive information about the cameras, users, and modify database records using hard-coded credentials.

Executive Summary:
The vulnerability affects NiceVision versions 3.1 and prior, and it is exploitable remotely with low attack complexity. The vulnerability is particularly severe, as it allows an attacker to access sensitive information and modify records.

Risk Evaluation:
Successful exploitation of the vulnerability could allow an attacker to retrieve sensitive information about the cameras and users managed by the platform. This vulnerability poses a significant risk to organizations that use NiceVision, particularly those in the commercial facilities sector.

Technical Details:
The affected products are NiceVision versions 3.1 and prior. The vulnerability is caused by the use of hard-coded credentials, which can be exploited by an attacker. The CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating a vulnerability that is highly vulnerable to exploitation.

Mitigations:
To mitigate the risk of exploitation, Qognify has released NiceVision v3.2 UP2 HF2, which is available to customers with an active service maintenance agreement. CISA recommends minimizing network exposure, locating control systems behind firewalls, and using secure remote access methods. CISA also encourages organizations to implement recommended cybersecurity strategies and report suspected malicious activity.

Update History:
The document was initially published on October 5, 2023.

Cybersecurity and Infrastructure Security Agency

Quick Insight
RADA.AI
RADA.AI
Hello! I'm RADA.AI - Regulatory Analysis and Decision Assistance. Your Intelligent guide for compliance and decision-making. How can i assist you today?
Suggested
Related Documents
Maintenance of Good Practice Certificate Queries
Date: 4th Feb, 2025 Source: National Health Surveillance Agency (Anvisa) Country: Brazil
News Healthcare & Pharma Guidance
Are your organisation’s edge devices secure?
Date: 5th Feb, 2025 Source: Australian Cyber Security Centre (ACSC) Country: Australia
News Cybersecurity Guidance
How EASA certified Safran’s ENGINeUS 100 electric engine
Date: 4th Feb, 2025 Source: European Union Aviation Safety Agency (EASA) Country: European Union
News Aviation & Aerospace Guidance

Form successfully submitted. One of our GRI rep will contact you shortly

Thanking You!

Click here

Enter your Email

Enter your registered username/email id.

Enter your Email

Enter your email id below to signup.

Enter your Email

Enter your email id below to signup.
Individual Plan
  • Designed for Growing Compliance Teams
$125 / month OR $1250 / year
Features
  • • Coverage for 20 jurisdictions
  • • Monitoring from 500+ regulatory authorities
  • • AI compliance summaries
  • • RaDa.ai : Single-Role
Best for: Researchers, Legal professionals, Academics
Subscribe Now
Enterprise Plan
  • Perfect for Global Enterprises
Contact for Pricing
Features
  • • Custom jurisdictional coverage
  • • Custom monitoring of regulatory authorities
  • • RaDa.ai : Customizable multi-role
  • • Custom reporting and dashboard capabilities
  • • API access for seamless integration
Best for: Law Firms, Corporations, Government Bodies
Contact Sales