A critical security vulnerability which can lead to unauthenticated remote code execution has been discovered for the Genetec Security Center product line. This vulnerability has been disclosed privately by a third party organization hired by Genetec to conduct penetration tests on Security Center. There is currently no evidence of this vulnerability being exploited to attack Security Center systems.

Risk assessment

This vulnerability affects Security Center parsing of messages received from the network. An exploit can be achieved even though the attacker is not authenticated in Security Center. The exploit could allow the execution of arbitrary code and take control of the operating system hosting the Security Center role. The CVSS v3.0 base score for this vulnerability is 9.0 (Critical).

Recommendation

We have issued security patches (cummulative updates) for all affected versions and recommend that our customers apply the appropriate patch as soon as possible.

Workarounds

If you are unable to apply the patch (cummulative update) immediately, an alternative, short-term option would be to disconnect Security Center from the network until you can apply the patch, which should be done as soon as possible.

Patch details

The patch is applicable to client and server components of Security Center. Note that the patch does not impact performance. All Cloud products affected by this vulnerability have already been patched.

Affected products and patch release version

Product Affected? Patch applied? Patch release version Security Center 5.7 Yes

To be applied by the client

5.7 SR2 CU1 Security Center 5.6 Yes

To be applied by the client

5.6 SR4 CU8 Security Center 5.5 Yes

To be applied by the client

5.5 SR5 CU14 Security Center 5.4 Yes

To be applied by the client

5.4 SR3 CU12 Security Center 5.3 Yes

To be applied by the client

5.3 SR4 CU7 Security Center 5.2 Yes

To be applied by the client

5.2 SR11 CU2 Security Center SaaS Edition Yes

Yes

Version dependent Genetec Stratocast™ Yes

Yes

N/A Genetec Clearance™ No

N/A

N/A

Omnicast 4.x

No N/A N/A

If you would like more information or need assistance with patch application, please login to the Genetec Technical Assistance Portal (GTAP) to open a ticket.