Meltdown and Spectre vulnerabilities mitigation recommendations for Genetec products
Two potential security vulnerabilities affecting Windows operating systems and Intel® processors have been discovered. These vulnerabilities may lead to unauthorized access to information.
*January 31st, 2018 update below*
Intel® has issued a new advisory urging its OEMs, software vendors, and end users to stop the deployment of its Spectre patch because it was causing system reboots for some of its systems.
Therefore, HP and Dell removed the microcode updates that were previously available and will issue revised updates once they become available. Microsoft also issued an out of cycle KB4078130 (Catalog, Description) which essentially disables the mitigation for CVE-2017-5715 (Spectre Variant 2). This update targets all systems that have been patched with Intel®’s recalled microcode.
We recommend our customers to update their system in accordance with what is prescribed in the table below but refrain from updating the microcode at the moment. Customers who have already applied the recalled microcode on their system should apply Windows KB4078130.
Further updates will be made to this security advisory when a new microcode becomes available.
On January 3rd, 2018, two potential security vulnerabilities were disclosed publicly. The Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715) vulnerabilities may lead to unauthorized access to information on a Windows system. To exploit these vulnerabilities, one must have the ability to execute code on the targeted device.
These vulnerabilities affect Windows operating systems running on Intel® processors (Meltdown & Spectre) and AMD processors (Spectre).
Some Genetec products include a combination of the Windows operating systems and Intel® processors (Streamvault™ appliances, Synergis™ Cloud Link, AutoVu™ Sharp cameras). Also, Security Center can be installed on these components. Therefore, these vulnerabilities could be utilized to gain unauthorized access to information stored by Genetec products, while this has never been observed in the past.
Microsoft released an advisory offering guidance and patches for Windows clients (KB 4073119), Windows Servers (KB 4072698) as well as a PowerShell Script (Speculation Control Validation PowerShell Script) validating that the patches were successfully applied. Microsoft also specifies that a processor microcode or firmware update must be installed along with the Windows patches for customers to be fully protected against the vulnerabilities.
The Genetec team has been testing its products over the last few days to quantify the possible impacts as described hereunder. Along with the performance impact, we are also assessing the potential risk posed by these vulnerabilities for each of our products.
Please see the list of possible affected Genetec products and available patches below.
Note: the Synergis™ Cloud Link cell has been updated on 01/18/2018 to emphasize that the window patch needs to be applied after Softwire 10.6 has been installed.
|
Product |
Impacted? |
Patch applied? |
Patch performance impact* |
Risk assessment |
Comments |
|---|---|---|---|---|---|
|
Security Center - Omnicast™ |
Yes |
To be applied by the client |
Archiver: |
Patch as soon as possible and be aware of possible performance issues |
Biggest impact on media gateway and decoding observed while decoding lots of low resolution streams simultaneously |
|
Security Center - Synergis™ |
Yes |
To be applied by the client |
Negligible |
Patch as soon as possible |
|
|
Security Center - AutoVu™ |
Yes |
To be applied by the client |
Negligible |
Patch as soon as possible |
|
|
AutoVu™ SharpV |
Yes |
No |
Negligible |
Low |
- Exploitation requires the attacker to run code which isn’t allowed on the SharpV |
|
AutoVu™Sharp 2.0, Sharp 3.0, SharpX |
No |
N/A |
N/A |
N/A |
|
|
Synergis™ Cloud Link |
Yes |
Clients to apply Genetec Security Rollup 20180109 (Softwire 10.6 required) |
Negligible |
Low |
-Exploitation requires the attacker to run code which isn’t allowed on the Synergis Cloud Link |
|
SV16v3 and up |
Yes |
To be applied by the client |
0 - 35% |
Patch as soon as possible |
-Biggest impact seen while decoding full HD streams -Enough performance margin in the device for the impact to be negligible for the client |
|
SV32 (all versions) |
Yes |
To be applied by the client |
0 - 46% |
Patch as soon as possible and be aware of performance issues |
-Biggest impact seen while decoding full HD streams |
|
SVPro |
Yes |
To be applied by the client |
0 - 30% |
Patch as soon as possible |
|
|
SV-1000 and up (formely known as BCD server) |
Yes |
To be applied by the client |
20 - 35% |
Patch as soon as possible and be aware of performance issues |
- High performance archiver running above 1200 Mbps will notice a degradation of their system |
|
Genetec Clearance™ |
Yes |
Yes |
Negligible |
N/A |
Has been patched in Microsoft Azure |
*This represents the percentage of increase in CPU. For example, if the CPU was used originally at 10% and the patch performance impact in the table above is 25%, then the actual CPU usage will be 12.5% after the patch is applied. This performance impact is not necessarily noticeable by the user.
This advisory will be updated if other relevant facts come to light in the future.
Additional references
HP Meltdown and Spectre security advisory page with chipset update link
Dell Meltdown and Spectre security advisory page with chipset update link
Do not hesitate to contact the Genetec Security Team for more information.