High severity vulnerability affecting Security Center Web SDK role
A high-severity vulnerability that can lead to arbitrary code execution on the system hosting the Web SDK role was found in the Genetec™ Security Center product line. This vulnerability was reported via the Genetec Bug bounty program. There is currently no evidence of this vulnerability being exploited.
Risk assessment
This vulnerability (CVE-2024-7059) affects the Web-based SDK of Security Center. An attacker who successfully exploits this vulnerability may be able to execute arbitrary code instead of the reserved set of functions normally allowed by the SDK. The code will run with administrative privileges on the machine on which the Web-based SDK role is installed. The CVSS v4.0 base score for this vulnerability is 8.9 (High).
Details
For the vulnerability to be exploitable, the attacker needs to have:
-
-
- Activated the Web-based SDK role (by default, this role is deactivated).
- A valid Security Center user with the privilege to "log on using the SDK"
- A valid Web-based SDK Certificate
-
Recommendation
Customers running an affected version of Security Center should update as soon as possible.
Workarounds
If the Security Center instance cannot be updated in a timely fashion, the system administrator should deactivate the Web-based SDK role.
Affected products
Product | Affected | Patch & comments |
Security Center SaaS Edition | Patched | N/A |
Security Center 5.13 | No | N/A |
Security Center 5.12 | Yes | Patched in 5.12.1.3 and 5.12.2.1 |
Security Center 5.11 | Yes | Patched in 5.11.3.13 |
Security Center 5.10 | Yes | Patched in 5.10.4.23 |
Security Center 5.9 | Yes | Patched in 5.9.5.8 |
Security Center 5.8 | Yes | Patched in 5.8.2.1 |
Older Security Center versions | Yes | Update to a Security Center version with supported maintenance. |
Other Genetec products | No | N/A |
For more information or assistance, please log in to the Genetec Technical Assistance Portal (GTAP) to open a support case.
Acknowledgement
Thank you to the following contributors: Algosecure and Louis Moubinous