Genetec Self-Discloses Critical Vulnerability

Excellent! That's how it should be done!

I like the move by Genetec.  I think it's fine that they're not fully explaining the vulnerability either.  Why give low grade hackers a blueprint on how to exploit systems?  I think telling the public that there is a vulnerability, a fix and please update is a good move.

I am not surprised that Genetec did not disclose details of an exploit or proof of concept. Those things are often done by researchers as a way to prevent the affected company from claiming the issue is "very complex to execute" or "only affecting certain products", and similar excuses. Proof of concept works allow users to verify if their systems are affected, and judge for themselves the technical complexities if the manufacturer does not respond or tries to spin the issue.

In this case Genetec is openly admitting the vulnerability, issuing a patch, and disclosing which products/versions are affected. Releasing a proof of concept would only put customers at undue risk at this point.

I don't use Genetec as much as I should, does anyone know if their cloud controller is still running on Windows 7 embedded? Has anyone tried to Konboot one those controllers?

In other news, if you use a Synology NAS for any cctv or other storage deployments, DSM needs to be patched for a vulnerability released yesterday on Synology's website.

https://www.synology.com/en-global/support/security/Synology_SA_18_39

It's nice to see that Genetec hires pen testers. I wonder if this is standard industry practise among the big players, or if this is something unique? 

Impressive, kudos for Genetec.

I don't know how Genetec's pricing structure works, but when we find a bug in Exacq (and there have been some nasty ones in v6.0 and 9.0) it costs money to upgrade. So Genetec may be looking at this as a profit center and spinning it as a "look at us, we take the high road" scenario.

I'm not a huge fan of Genetec as they are a closed dealer-only system. Despite all HIK and Exacq's flaws, at least they don't discriminate against smaller and medium sized companies. (Ie - with Genetec you can't join the old boys club). And I'd be willing to bet Genetec has a boatload more bugs that they admit to, but since 1% of the market uses their software nobody cares.

Security through obscurity.

Cuddos to Genetec. No software, or human, is flawless. Admit when there's an issue ASAP rather than throwing it in a closet and hiding it.

As a "competitor" to Genetec, I'll say that this is absolutely the correct approach.  Vulnerabilities are to be expected, as what was secure yesterday might not be tomorrow.  A proactive (and public) methodology to addressing these types of issues will always instill a higher level of confidence with your customer base.

Good thing they blocked Hikvision, for safety sake and all. 

 I think that this admission shows that they truly do care about their reputation and want to ensure the protection of their customers data privacy. Unlike some vendors that obfuscate, cajole, humiliate and outright deny their vulnerabilities so that they can get more sales. 

There was a time that disclosure didn't ruin a company  - it enhanced the trust of the firm. Instead of lambasting Genetec, we should be applauding them on their transparency - I don't even sell the product. 

Hats off to you Genetec.

It seems the link to the CVSS Base Score Calculator isn't working. Is it just me?

Genetec self-disclosed another vulnerability, related to a potential blank password tied to a default admin account: Media Gateway Vulnerability. It is scored a CVSS v3.0 base score of 7.5 (High) because RTSP can be used to gain unauthorized access to any camera's live or stored video.

About this latest vulnerability, Genetec told IPVM:

The vulnerability was found in an early version of Security Center 5.8 prior to its release by the pentesters we hired.  Since the default user used for the Media Gateway is the same default user present in Security Center upon installation (aka the Admin user) it was believed that the mandatory password change in the Installer Assistant upon first connection in the Config Tool would also change the password in the Media Gateway. This assumption was false and is the root cause of the issue.

The Media Gateway is not a role created by default in Security Center. A user manually creating Media Gateway role and following the steps detailed in the Administrator Guide wouldn’t have had any issue (we are however updating our hardening guide just to be sure). The real problem arises when a user creates a Web Client role, as this automatically also creates a Media Gateway role that the user may not be aware that s/he created. We can’t expect users to be aware of this, and that is reason why an advisory was published.

Naturally, the worst case scenario was assumed in the announcement but it is not easy to exploit: the hacker still has to discover the unique hexadecimal number (called Guid) for each camera they wants to access via the RTSP interface.

The Genetec GUID is a group of hexadecimal numbers that often includes the MAC address of the device (in this example an Axis camera's GUID):