Genetec Self-Discloses Critical Vulnerability

Excellent! That's how it should be done!

I like the move by Genetec.  I think it's fine that they're not fully explaining the vulnerability either.  Why give low grade hackers a blueprint on how to exploit systems?  I think telling the public that there is a vulnerability, a fix and please update is a good move.

"Trustworthiness" and "vulnerabilities" are obviously two different things, let's not confuse them.  All software has the potential for vulnerabilities but do you trust the organization is making security an important aspect of their product/solution and therefore will be forthcoming e.g. diligent in finding/making known and patching said vulnerabilities?  When asking these questions (if this is important to you or relevant in your business model) one can only look at past experiences and history.

As predicted, genetec has vulnerabilities, they get praised. Hikvision gets hacked, they are accused of going to war with the usa. Looking forward to more comments like this.

It's nice to see that Genetec hires pen testers. I wonder if this is standard industry practise among the big players, or if this is something unique? 

Impressive, kudos for Genetec.

I don't know how Genetec's pricing structure works, but when we find a bug in Exacq (and there have been some nasty ones in v6.0 and 9.0) it costs money to upgrade. So Genetec may be looking at this as a profit center and spinning it as a "look at us, we take the high road" scenario.

I'm not a huge fan of Genetec as they are a closed dealer-only system. Despite all HIK and Exacq's flaws, at least they don't discriminate against smaller and medium sized companies. (Ie - with Genetec you can't join the old boys club). And I'd be willing to bet Genetec has a boatload more bugs that they admit to, but since 1% of the market uses their software nobody cares.

Security through obscurity.

As a "competitor" to Genetec, I'll say that this is absolutely the correct approach.  Vulnerabilities are to be expected, as what was secure yesterday might not be tomorrow.  A proactive (and public) methodology to addressing these types of issues will always instill a higher level of confidence with your customer base.

I always prefer to be aware of a vulnerability and how to address it. If the manufacturer quietly addresses it and just includes the fix in the next release, then there open the door for end-users to skip an update they deem not critical(since they don't know it will fix a major vulnerability) and expose them to an attack. As noted in the previous comments the fix is also provided for systems with expired SMA and clearly shows Genetec is not trying to monetize the issue. In those cases, the quiet fix in the next release will not address the issue either.  

Good thing they blocked Hikvision, for safety sake and all. 

It seems the link to the CVSS Base Score Calculator isn't working. Is it just me?

Genetec self-disclosed another vulnerability, related to a potential blank password tied to a default admin account: Media Gateway Vulnerability. It is scored a CVSS v3.0 base score of 7.5 (High) because RTSP can be used to gain unauthorized access to any camera's live or stored video.

About this latest vulnerability, Genetec told IPVM:

The vulnerability was found in an early version of Security Center 5.8 prior to its release by the pentesters we hired.  Since the default user used for the Media Gateway is the same default user present in Security Center upon installation (aka the Admin user) it was believed that the mandatory password change in the Installer Assistant upon first connection in the Config Tool would also change the password in the Media Gateway. This assumption was false and is the root cause of the issue.

The Media Gateway is not a role created by default in Security Center. A user manually creating Media Gateway role and following the steps detailed in the Administrator Guide wouldn’t have had any issue (we are however updating our hardening guide just to be sure). The real problem arises when a user creates a Web Client role, as this automatically also creates a Media Gateway role that the user may not be aware that s/he created. We can’t expect users to be aware of this, and that is reason why an advisory was published.

Naturally, the worst case scenario was assumed in the announcement but it is not easy to exploit: the hacker still has to discover the unique hexadecimal number (called Guid) for each camera they wants to access via the RTSP interface.

The Genetec GUID is a group of hexadecimal numbers that often includes the MAC address of the device (in this example an Axis camera's GUID):