Meltdown and Spectre vulnerabilities mitigation recommendations for Genetec products

Two potential security vulnerabilities affecting Windows operating systems and Intel® processors have been discovered. These vulnerabilities may lead to unauthorized access to information.

*January 31st, 2018 update below*

Intel® has issued a new advisory urging its OEMs, software vendors, and end users to stop the deployment of its Spectre patch because it was causing system reboots for some of its systems.

Therefore, HP and Dell removed the microcode updates that were previously available and will issue revised updates once they become available. Microsoft also issued an out of cycle KB4078130 (Catalog, Description) which essentially disables the mitigation for CVE-2017-5715 (Spectre Variant 2). This update targets all systems that have been patched with Intel®’s recalled microcode.

We recommend our customers to update their system in accordance with what is prescribed in the table below but refrain from updating the microcode at the moment. Customers who have already applied the recalled microcode on their system should apply Windows KB4078130.

Further updates will be made to this security advisory when a new microcode becomes available.

On January 3rd, 2018, two potential security vulnerabilities were disclosed publicly. The Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715) vulnerabilities may lead to unauthorized access to information on a Windows system. To exploit these vulnerabilities, one must have the ability to execute code on the targeted device.

These vulnerabilities affect Windows operating systems running on Intel® processors (Meltdown & Spectre) and AMD processors (Spectre).

Some Genetec products include a combination of the Windows operating systems and Intel® processors (Streamvault™ appliances, Synergis™ Cloud Link, AutoVu™ Sharp cameras). Also, Security Center can be installed on these components. Therefore, these vulnerabilities could be utilized to gain unauthorized access to information stored by Genetec products, while this has never been observed in the past.

Microsoft released an advisory offering guidance and patches for Windows clients (KB 4073119), Windows Servers (KB 4072698) as well as a PowerShell Script (Speculation Control Validation PowerShell Script) validating that the patches were successfully applied. Microsoft also specifies that a processor microcode or firmware update must be installed along with the Windows patches for customers to be fully protected against the vulnerabilities.

The Genetec team has been testing its products over the last few days to quantify the possible impacts as described hereunder. Along with the performance impact, we are also assessing the potential risk posed by these vulnerabilities for each of our products.

Please see the list of possible affected Genetec products and available patches below.

Note: the Synergis Cloud Link cell has been updated on 01/18/2018 to emphasize that the window patch needs to be applied after Softwire 10.6 has been installed.

Product

Impacted?

Patch applied?

Patch performance impact*

Risk assessment

Comments

Security Center - Omnicast

Yes

To be applied by the client

Archiver:
25 - 30%
Media Router:
15 - 25%
Media Gateway:
15 - 25%
Security Desk decoding:
5 - 45%

Patch as soon as possible and be aware of possible performance issues

Biggest impact on media gateway and decoding observed while decoding lots of low resolution streams simultaneously

Security Center - Synergis

Yes

To be applied by the client

Negligible

Patch as soon as possible 

 

Security Center - AutoVu

Yes

To be applied by the client

Negligible

Patch as soon as possible 

 

AutoVu SharpV

Yes

No

Negligible

Low

- Exploitation requires the attacker to run code which isn’t allowed on the SharpV
- Bios patch untested

AutoVuSharp 2.0, Sharp 3.0, SharpX

No

N/A

N/A

N/A

 

Synergis Cloud Link

Yes

Clients to apply Genetec Security Rollup 20180109 (Softwire 10.6 required)

Negligible

Low

-Exploitation requires the attacker to run code which isn’t allowed on the Synergis Cloud Link
- Bios patch untested

SV16v3 and up

Yes

To be applied by the client

0 - 35%

Patch as soon as possible

-Biggest impact seen while decoding full HD streams

-Enough performance margin in the device for the impact to be negligible for the client

SV32 (all versions)

Yes

To be applied by the client

0 - 46%

Patch as soon as possible and be aware of performance issues

-Biggest impact seen while decoding full HD streams
-Performance impact is noticeable. The maximum amount of full HD streams decodable simultaneously is reduced

SVPro

Yes

To be applied by the client

0 - 30%

Patch as soon as possible

 

SV-1000 and up (formely known as BCD server)

Yes

To be applied by the client

20 - 35%

Patch as soon as possible and be aware of performance issues

- High performance archiver running above 1200 Mbps will notice a degradation of their system

Genetec Stratocast

Yes

Yes

Negligible

N/A

Has been patched in Microsoft Azure

Genetec Clearance

Yes

Yes

Negligible

N/A

Has been patched in Microsoft Azure

 

*This represents the percentage of increase in CPU. For example, if the CPU was used originally at 10% and the patch performance impact in the table above is 25%, then the actual CPU usage will be 12.5% after the patch is applied. This performance impact is not necessarily noticeable by the user.

This advisory will be updated if other relevant facts come to light in the future.

Additional references

HP Meltdown and Spectre security advisory page with chipset update link

Dell Meltdown and Spectre security advisory page with chipset update link

Do not hesitate to contact the Genetec Security Team for more information.

Previous Article
5 reasons retailers are moving to cloud-based surveillance
5 reasons retailers are moving to cloud-based surveillance

Have you ever seen a retail store without some form of video surveillance? Likely not. For most brick-and-m...

Next Article
Access control beyond the door
Access control beyond the door

Happy and rested employees create a great office culture. And doesn’t every organization want that? It’s wh...