Skip to main content

High severity vulnerability affecting the Authentication Service role in Security Center

March 10th, 2022

A high-security vulnerability that can lead to an elevation of privileges has been discovered for the Genetec Security Center product line. This vulnerability has been discovered by the Genetec internal security team. There is currently no evidence of this vulnerability being exploited to attack Security Center systems. 

Risk assessment

This vulnerability affects the Authentication Service role when configured to use the OpenID Connect or SAML2 authentication protocols. A specific configuration of the external Identity Provider (IdP) used by that role combined with a particular configuration of Security Center privileges can allow an authenticated attacker to impersonate another user and gain their associated privileges.  

The CVSS v3.1 base score of this vulnerability is 8.8 (High). 

Details

The vulnerability can be exploited when multiple conditions are met. The administrator must configure the Authentication Service role to use a username claim or assertion that is not guaranteed to be unique within the IdP tenant account, for instance, the user’s email address (condition 1). Furthermore, the IdP must allow a user to change this attribute to one of another existing user that has already connected to Security Center (condition 2). The previously existing user must have been manually placed in a high privilege native user group such as the Administrators group (condition 3). When all those conditions are met the malicious user will be able to impersonate the other user and inherit their privileges. 

For condition 2 to be met, the OpenID Connect or SAML2 protocols need to be used. Systems using Active Directory to authenticate into Security Center are not affected. Moreover, the IdP must allow the username attribute, such as the e-mail address, of a given user to be identical to the one of another user. It has been noted that Okta is known to be configurable in this fashion, but it is possible that others IdP supporting the OpenID Connect and SAML2 protocols are allowing such configuration. 

The privileges typically associated with a user authenticating into Security Center via an IdP are bound to groups for which a user is a member. There are two kinds of groups: those coming from the IdP, based on the Group claim or assertion, and those that are native to Security Center like the Administrators group. Users authenticating via OpenID Connect or SAML2 will typically be part of groups configured on their IdP. For condition 3 to be met, a malicious user must impersonate another user who has been manually added into a Security Center native group. 

This vulnerability affects versions of Security Center 5.9.2 and newer. The previous versions of Security Center are unaffected since the ability to authenticate with the OpenID Connect and SAML2 protocols was introduced in 5.9.2. See the table below for more details. 

Recommendation

Genetec recommends that all systems using the OpenID Connect or SAML2 protocol to authenticate users into Security Center be updated to version 5.9.4.6 or 5.10.3.1. 

Workarounds

If the security patches cannot be applied in a timely fashion, system administrators must make sure that the username claim or assertion configured in the Authentication Role is guaranteed to be unique within the IdP tenant and cannot be changed by the users themselves. If that is not the case, system administrators must disable the Authentication Service role until the security patch is applied.  

Affected products

Product Affected? Details Patch release version
Security Center 5.10.x  Yes
Only if the Authentication Service Role is used with the OpenID protocol
 
5.10.3.1
Security Center 5.9.2 to 5.9.4 Yes
Only if the Authentication Service Role is used with the OpenID protocol
 
5.9.4.6
All other Security Center versions No

 
Security Center SaaS Edition Patched

 

If you would like more information or need assistance, please log in to the Genetec Technical Assistance Portal (GTAP) to open a ticket. To log in to the Genetec Portal, you must be a Security Center user with the appropriate credentials. If you do not have access credentials, please contact channelsales@genetec.com.