BlueKeep vulnerability affecting Genetec products
On May 14th, Microsoft released fixes for a critical Remote Code Execution vulnerability in the Remote Desktop Protocol affecting Microsoft Windows versions 7 or older.
Certain Genetec products using a vulnerable version of Windows and for which remote desktop is enabled are affected.
Risk assessment
The BlueKeep vulnerability (CVE-2019-0708) can be spread from and to vulnerable computers without human intervention. Microsoft has released security patches for the deprecated versions of Windows and assigned a CVSS v3.0 base score of 9.8 (Critical) to this vulnerability.
Recommendation
Genetec has issued a software update for its embedded devices affected by this vulnerability and recommend applying it as soon as possible.
Certain Streamvault hardware produced in the past were shipped with a Windows version that is affected by this vulnerability. Genetec recommends keeping all Streamvault products up-to-date by applying the Windows security patches as soon as possible.
Please note that older Sharp OS versions might also be affected if they haven’t been updated. Please make sure to apply the latest patch update. See the table below for more details.
Workarounds
If the security patches can’t be applied in a timely fashion, it is possible to block TCP port 3389 at the enterprise perimeter firewall. Please refer to the Workaround section of the CVE-2019-0708 page on the Microsoft website for more details.
Affected products
Product | Affected? | Patch release version |
Sharp 2.0, X1, X2, X2M, X4M | Yes | |
Sharp 3.0, XS, XSM, XSU | No1 | N/A |
SharpV | No | N/A |
SMC | No2 | N/A |
Synergis Cloud Link | No2 | N/A |
Genetec Clearance | No | N/A |
SV-16 v1, v2, v3 | Yes | Apply Microsoft patches |
SV-32 v1, v2 | Yes | Apply Microsoft patches |
SVPro v1, v2, v3 | Yes | Apply Microsoft patches |
All other SV products | No | N/A |
1Sharp OS versions 11.4 SR1 and older have the RDP enabled by default and were therefore vulnerable. Please make sure to update to the latest image.
2 These products are manufactured with the RDP disabled by default. However, if you have contacted the support team by phone, the RDP could have been enabled on those devices. Please follow the instructions to disable the RDP in Security Center Synergis™ mentioned in KBA-78992.
If you would like more information or need assistance with applying the patch, please log in to the Genetec Technical Assistance Portal (GTAP) to open a ticket. To log in to the Genetec Portal, you must be a Security Center user with the appropriate credentials. If you do not have access credentials, please contact channelsales@genetec.com.