Skip to main content

High severity vulnerability affecting Security Center Web SDK role

A high-severity vulnerability that can lead to arbitrary code execution on the system hosting the Web SDK role was found in the Genetec™ Security Center product line. This vulnerability was reported via the Genetec Bug bounty program. There is currently no evidence of this vulnerability being exploited.

Risk assessment

This vulnerability (CVE-2024-7059) affects the Web-based SDK of Security Center. An attacker who successfully exploits this vulnerability may be able to execute arbitrary code instead of the reserved set of functions normally allowed by the SDK. The code will run with administrative privileges on the machine on which the Web-based SDK role is installed. The CVSS v4.0 base score for this vulnerability is 8.9 (High).

Details

For the vulnerability to be exploitable, the attacker needs to have:

      • Activated the Web-based SDK role (by default, this role is deactivated).

      • A valid Security Center user with the privilege to "log on using the SDK"
      • A valid Web-based SDK Certificate

Recommendation

Customers running an affected version of Security Center should update as soon as possible.

Workarounds

If the Security Center instance cannot be updated in a timely fashion, the system administrator should deactivate the Web-based SDK role.

Affected products

Product Affected Patch & comments
Security Center SaaS Edition Patched N/A
Security Center 5.13 No N/A
Security Center 5.12 Yes Patched in 5.12.1.3 and 5.12.2.1
Security Center 5.11 Yes Patched in 5.11.3.13
Security Center 5.10 Yes Patched in 5.10.4.23
Security Center 5.9 Yes Patched in 5.9.5.8
Security Center 5.8 Yes Patched in 5.8.2.1
Older Security Center versions Yes Update to a Security Center version with supported maintenance.
Other Genetec products No N/A

For more information or assistance, please log in to the Genetec Technical Assistance Portal (GTAP) to open a support case.

Acknowledgement

Thank you to the following contributors: Algosecure and Louis Moubinous