Risk Category: High Document ID: nECY-05-314074
Version: 1.0
Document Status: Final
CVSS v3.1 Score: 10.0
CVSS Vector: cvss:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
CVE ID: CVE-2021-40825
CWE: CWE-255
Description:
nLight ECLYPSE (nECY) system controllers contain a default key vulnerability. The nECY does not force a change to the key upon the initial configuration of an affected device. nECY system controllers utilize an encrypted channel to secure SensorViewTM configuration and monitoring software and nECY to nECY communications. Impacted devices are at risk of exploitation.
A remote attacker with IP access to an impacted device could submit lighting control commands to the nECY by leveraging the default key. A successful attack may result in the attacker gaining the ability to modify lighting conditions or gain the ability to update the software on lighting devices.
The impacted key is referred to as the SensorView Password in the nECY nLight Explorer Interface and the Gateway Password in the SensorView application.
An attacker cannot authenticate to or modify the configuration or software of the nECY system controller.
The design of nECY system controllers supports both standalone and IP-networked applications. Standalone systems not connected to an IP backbone would require physical access to the system to expose the vulnerability. Systems connected to a broader IP network would require access to this IP network to expose the vulnerability.
Impacted Versions:
nLight ECLYPSE (nECY) system Controllers running software prior to 1.17.21245.754 are affected.
Note: Implementations that have not been configured to use SensorView or nECY to nECY communications are affected if initially configured with an impacted version installed, and the impacted Key has not been changed.
The ECLYPSE family of devices from Distech® are not affected.
The Atrius® ECLYPSE A1000 devices are not affected.
Resolution:
Change the default key, known as the SensorView Password, to a secure, unique value per site on all impacted nECY system controllers.
Administrators and installers may find instructions on how to perform this action at the following link: Gateway Password - Adjustment and Recovery
Acuity Brands recommends updating to the fixed software version and modifying the configuration for all currently installed controllers. Administrators may find information on how to upgrade an nECY system controller at the following link: nLight ECLYPSE Firmware Update Guide
Note: Updating the software will NOT change the current password on currently installed and operating devices. Administrators must manually change the password to a unique value on all nECY devices and the SensorView platform.
Fixed Software:
Version 1.17.21245.754 and later do not contain a default key. SensorView and nECY to nECY communications will be disabled until the device installer or administrator provides a unique value.
Attribution:
The issue was identified internally by Acuity Brands.
Acuity Brands knows of no exploitation of this issue.
History:
9/16/2021 – Initial Release
LEGAL DISCLAIMER:
THIS CONTENT IS PROVIDED ON AN "AS IS" BASIS FOR INFORMATIONAL PURPOSES ONLY AND IS PROVIDED WITHOUT ANY WARRANTY OF ANY KIND. THE CONTENT IS INTENDED FOR USERS OF ACUITY BRANDS PRODUCTS WHO POSSESS THE PROFESSIONAL SKILLS AND JUDGMENT NECESSARY TO INTERPRET THE INFORMATION AND DETERMINE THE APPROPRIATE STEPS TO TAKE. USE OF THE INFORMATION IS AT THE USER’S OWN RISK. THE AUTHOR RESERVES THE RIGHT TO UPDATE OR DELETE THIS CONTENT AT ANY TIME.
