A high-severity vulnerability that can lead to a full compromise of the system hosting the SQL database was found in the Genetec Security Center product line. This vulnerability was discovered internally by the Genetec engineering team. There is currently no evidence of this vulnerability being exploited otherwise.
This vulnerability (CVE-2023-1522) affects the Hardware Inventory Report section of Security Center 5.11.2. An attacker who successfully exploits this vulnerability may be able to execute any SQL query on any database hosted on the Microsoft SQL server used by the Genetec Directory, as well as run system commands with administrative privileges on its underlying operating system. The CVSS v3.1 base score for this vulnerability is 8.5 (High).
The Hardware Inventory Report is a page that is accessible through the Genetec Security Desk and Config Tool client applications and allows an authenticated/authorized user with the inventory management privileges to list available hardware based on a list of filters. Due to a lack of proper sanitization on the backend service, an attacker can bypass the client-side protection and craft a malicious payload to send arbitrary SQL queries to the system through this task.
Customers running Security Center 5.11.2 should update the Security Center servers hosting the Directory service to version 126.96.36.199 or newer as soon as possible.
If the Security Center instance cannot be updated in a timely fashion, the system administrator should remove the Hardware Inventory Task privilege from all users until the patch is applied.
|Product||Affected||Patch Release Version|
|Security Center 5.11.2||Yes||188.8.131.52|
|Security Center SaaS Edition||Patched||N/A|
|All other Security Center versions||No||N/A|
|Other Genetec products||No||N/A|
For more information or assistance, please log in to the Genetec Technical Assistance Portal (GTAP) to open a support case.