Security vulnerability affecting Security Center

July 24, 2018

A critical security vulnerability which can lead to unauthenticated remote code execution has been discovered for the Genetec Security Center product line. This vulnerability has been disclosed privately by a third party organization hired by Genetec to conduct penetration tests on Security Center. There is currently no evidence of this vulnerability being exploited to attack Security Center systems.

Risk assessment

This vulnerability affects Security Center parsing of messages received from the network. An exploit can be achieved even though the attacker is not authenticated in Security Center. The exploit could allow the execution of arbitrary code and take control of the operating system hosting the Security Center role. The CVSS v3.0 base score for this vulnerability is 9.0 (Critical).

Recommendation

We have issued security patches (cummulative updates) for all affected versions and recommend that our customers apply the appropriate patch as soon as possible.

Workarounds

If you are unable to apply the patch (cummulative update) immediately, an alternative, short-term option would be to disconnect Security Center from the network until you can apply the patch, which should be done as soon as possible.

Patch details

The patch is applicable to client and server components of Security Center. Note that the patch does not impact performance. All Cloud products affected by this vulnerability have already been patched.

Affected products and patch release version

Product Affected? Patch applied? Patch release version
Security Center 5.7 Yes
To be applied by the client
 
5.7 SR2 CU1
Security Center 5.6 Yes
To be applied by the client
 
5.6 SR4 CU8
Security Center  5.5 Yes
To be applied by the client
 
5.5 SR5 CU14
Security Center 5.4 Yes
To be applied by the client
 
5.4 SR3 CU12
Security Center 5.3 Yes
To be applied by the client
 
5.3 SR4 CU7
Security Center 5.2 Yes
To be applied by the client
 
5.2 SR11 CU2
Security Center SaaS Edition Yes
Yes
 
Version dependent
Genetec Stratocast™ Yes
Yes
 
N/A
Genetec Clearance™ No
N/A
 
N/A

Omnicast 4.x
 
No N/A N/A

If you would like more information or need assistance with patch application, please login to the Genetec Technical Assistance Portal (GTAP) to open a ticket.

Previous Article
Thinking about cyber insurance?
Thinking about cyber insurance?

Here are five things you’ll want to consider before making your decision

Next Article
Meet SAM and GUS
Meet SAM and GUS

The two resources you need on your team to keep your system up-to-date and highly available