Skip to main content

High severity vulnerability affecting the Hardware Inventory Task of Security Center

Update: The "Recommendation" section has been updated to specify that only servers need to be updated.

April 5, 2023

A high-severity vulnerability that can lead to a full compromise of the system hosting the SQL database was found in the Genetec Security Center product line. This vulnerability was discovered internally by the Genetec engineering team. There is currently no evidence of this vulnerability being exploited otherwise. 

Risk Assessment  
This vulnerability (CVE-2023-1522) affects the Hardware Inventory Report section of Security Center 5.11.2. An attacker who successfully exploits this vulnerability may be able to execute any SQL query on any database hosted on the Microsoft SQL server used by the Genetec Directory, as well as run system commands with administrative privileges on its underlying operating system. The CVSS v3.1 base score for this vulnerability is 8.5 (High).  

Details 
The Hardware Inventory Report is a page that is accessible through the Genetec Security Desk and Config Tool client applications and allows an authenticated/authorized user with the inventory management privileges to list available hardware based on a list of filters. Due to a lack of proper sanitization on the backend service, an attacker can bypass the client-side protection and craft a malicious payload to send arbitrary SQL queries to the system through this task. 

Recommendation 
Customers running Security Center 5.11.2 should update the Security Center servers hosting the Directory service to version 5.11.2.1 or newer as soon as possible.

Workarounds 
If the Security Center instance cannot be updated in a timely fashion, the system administrator should remove the Hardware Inventory Task privilege from all users until the patch is applied. 

Affected Products 

Product Affected Patch Release Version 
Security Center 5.11.2  Yes 5.11.2.1
Security Center SaaS Edition  Patched N/A 
All other Security Center versions  No N/A 
Other Genetec products  No N/A 

For more information or assistance, please log in to the Genetec Technical Assistance Portal (GTAP) to open a support case.