Genetec Self-Discloses Critical Vulnerability

By Sean Patton, Published Jul 31, 2018, 10:08am EDT

In an unprecedented move for the video surveillance industry, Genetec has self-disclosed a critical software vulnerability across Security Center and Stratocast.

In this report we examine:

  • What the vulnerability is
  • What versions it impacts
  • Why they have released limited details
  • Why they disclosed it publicly even though no third party forced them to
  • Genetec's criticism of Chinese manufacturers / Hikvision vs their own critical vulnerability

Critical *************

******* ****** *** ************* had * **** **.* base ***** ** *.* (Critical).********* ** *** **** Base ***** **********, * **** *.* score ********* **** ********* network ******, ** ***********, and * *** ********** of ******.

***********, ******* ****:

**** ************* ******* ******** Center ******* ** ******** received **** *** *******. An ******* *** ** achieved **** ****** *** attacker ** *** ************* in ******** ******. *** exploit ***** ***** *** execution ** ********* **** and **** ******* ** the ********* ****** ******* the ******** ****** ****.

*** ************* *** ********** in ******** ****** *.* (released ~****) **** ************* could **** **** ********* for * ***** ****** it *** **********. ******* says **** **** ** reports ** ******* *** that **** ********** ** recently **** * "***** party ************ ***** ** Genetec ** ******* *********** tests" ******** ** ** them.

No ************* *******

*******'* ********** **** *** include ********* ******* *** a ***** ** ******* exploiting *** *************. **** is ******** *** *************** discovered *** ******** ** independent ******** *********** (*.*.,**** ************* *********).

A **** ****-**********

*********, ** * ******** such ** *******'*, ***** they **** *** *********** tester, *** ************* ***** be ******* *******, **** no ****** ****** *** the ****** ***** ** NDA ******* **** **** public *******, ********* ** various **** *******.

** ** **** *** companies ** ****-******** ** Genetec ***, ** ******* instance ************* ********* * ******* password ***************** ****. *********'* ********** was * **** ***** level ******** *****, **** affecting **, ********* *** Express, *** *** ********* control ** *** ********* system ** *** ******. It **** *** *** require * ******** ******, just ******** *** ******* user ** ******** *** password ** *** *******.

******* ** ** ** rare *** ************* ** self-disclose, ** * ********** ****** ** ********** Responsibility, *********** ********* **** would *** ***** ************* to ****-******** ******** ******.

Notification *****

******* **** ** ***** that ********* *** **** information ** *** ********** on ***** *******.

No ******* *********

******* ********* ** **** why **** *** *** sharing **** *******:

** ****** ** ******** the ************* ******** ** maximize *** ******* **** our ********* ****** ***** of ** *** ***** the *******. ** ** also ** **** **** the ************* ********** **** practices ********* ******* ** the ******** ********.

** ** ********** *** case ** ********, ******** what ** ******** ** that ******** *** * trade-off. **** **** ******** we ******* ** ****** the ***** ******* ******* disclosing ****** ******* ** that *** ******** *** conduct ***** *** **** assessment *** ***** *** patches ********* ** ***** own **** ********* ***** at *** **** **** avoiding ******* ******* ** providing ****** ******* ** that **** *** ***** exploit **** *** *** disclosed *************.

Patch ** *********

*******'* **** ***** *** Service *******/********** ****** ***** required *** **** ******* of ******** ******, *** recommends ******** *********** ** removing ******* ******* ****** to *** ******. ***** that **** ******* ******* are ******** ** ********** multi-site, *****-******** ************, ******** outside ******* ****** ***** essentially ******* *** ********* of ***** *******. ** such, ******** ******** ********* upgrades.

Criticism ** ******* *************

******* *** **** **** vocal ***** ************* ********, specifically ******* *************, **** notably ** ********* ********* / ************ Hikvision *** ****** *******, ****** ******** ***** their ******* ********** ******* and**** ** ******* ***** *********. ******* would ****** ***** ** the **** **** **** disclosed **** **** **** were *** ****** ** do ** ** * sign ** ***** *** trustworthiness.

*******, ***********, ********* *** Huawei ********** **** ***** out *******'* *** ******** vulnerability ** ***** **** any ************ ** ******* likely ** **** ***************.

Poll / ****

Comments (56)

bashis mcw

07/31/18 02:12pm

Excellent! That's how it should be done!

Undisclosed #5

IPVMU Certified | In reply to bashis mcw | 07/31/18 06:47pm

Excellent!!

bashis, do you still believe this is the way it should be done, considering the lack of details?

What did we really learn, just that Genetec had some undefined critical vulnerability and fixed it?  Surely it’s not the first time an inside engineer at Genetec found a hole in their own software.

If such statements were found to make us feel better about a company’s security, what’s to stop a company from just saying 

“We found a critical flaw.  We fixed it.  See, we take security seriously.”

Undisclosed Manufacturer #10

In reply to Undisclosed #5 | 08/01/18 01:04pm

Genetec actually state it was discovered by a third-party penetration testing company, not an inside engineer.

bashis mcw

In reply to Undisclosed #5 | 08/04/18 09:12pm

Well, you can't expect so much FD with in-house discoveries, pretty much same thing you don't get from M$, Cisco either (or whatever).

What's should be taken seriously is that they actually disclosure they found some serious vulnerabilities, and their customers should update to latest FW and not "hide" as "normal" update - Thats the really important part!

Undisclosed #5

IPVMU Certified | In reply to bashis mcw | 08/05/18 12:05am

What's should be taken seriously is that they actually disclosure they found some serious vulnerabilities, and their customers should update to latest FW and not "hide" as "normal" update...

Ok, that is a reasonable and sensible position.

Playing Devil’s advocate though, assuming that the corporate goal is to protect customer systems to the greatest overall degree, might a less transparent disclosure method be better?

For instance, if and only if it can be reasonably determined that the exploit has not made it into the wild yet, perhaps the initial FW patch would better be made under the guise of “IMPORTANT UPDATE -  MAJOR BUG FIXES” as opposed to “CRITICAL UPDATE TO FIX REMOTE ROOT VULNERABILITY”.

Because the latter is surely a beacon to those who might seek to use the exploit for ill-will.

And since the critical fix was immediately released, it may contain little more new code than the code needed to patch it.

This clearly defined diff code could greatly assist in reverse engineering the vulnerability itself.

On the other hand, waiting 6 months or so after the fix has been released to announce the critical vulnerability, would give the end-users more time to remediate the problem before the hackers begin to pounce.

Plus the ambiguity of not knowing which FW was the one to contain the actual fix code would make it harder to reverse engineer.

Thoughts?

Undisclosed #3

In reply to Undisclosed #5 | 08/05/18 03:09am

The information release is key concept here aka: notifications. It makes all users aware of the fragility of a certain system. Keeping patches and updates underneath the public view only circumvents the ability for a paradigm or coding perception to help rectify or change the outcome of said vulnerability. No one can just stand alone and figure things out, this is why a grey, black and white hat community exists between the voids.

Embrace those that can help you and keep your enemy near. Simple concept.

Assume reverse engineering is also in progress, if you see something F^^king say something.

There is no argument here, only trolls can enhance this conversation with BS manipulations of the system.

Undisclosed #5

IPVMU Certified | In reply to Undisclosed #3 | 08/05/18 03:54am

Keeping patches and updates underneath the public view only circumvents the ability for a paradigm or coding perception to help rectify or change the outcome of said vulnerability.

What’s the coding perception that helps rectify the vulnerability when no details of the exploit aside from the severity level is released?

 

bashis mcw

In reply to Undisclosed #5 | 08/06/18 09:14pm

I do believe that one month or 12 months before disclosure actually doesn't matter, as there will still be tons and tons of vulnerable devices that has not been patched. (look only at montecryptos FD regarding his discovery with Hikvision)

 

What i DO think matter in long run, is that vendors DO admit there are some security vulnerability in their products and they DO their security advisory about this, but I don't and you should not either expect drastic changes in customers actions into patching.

 

Lastly, I don't expect any details from vendors when they disclosure their own findings, but be very sure there will be details in Full Disclosure when I publish and most probably other 3rd parties.

 

Final, all researches are built on reverse engineering, binary diff can (mostly) only get you a hint, but never (mostly) reveal actual area to find the vulnerability.

 

My 0.02$

Undisclosed Integrator #1

07/31/18 02:17pm

I like the move by Genetec.  I think it's fine that they're not fully explaining the vulnerability either.  Why give low grade hackers a blueprint on how to exploit systems?  I think telling the public that there is a vulnerability, a fix and please update is a good move.

Undisclosed #2

07/31/18 02:19pm

I am not surprised that Genetec did not disclose details of an exploit or proof of concept. Those things are often done by researchers as a way to prevent the affected company from claiming the issue is "very complex to execute" or "only affecting certain products", and similar excuses. Proof of concept works allow users to verify if their systems are affected, and judge for themselves the technical complexities if the manufacturer does not respond or tries to spin the issue.

In this case Genetec is openly admitting the vulnerability, issuing a patch, and disclosing which products/versions are affected. Releasing a proof of concept would only put customers at undue risk at this point.

Avatar

Greg Hussey

07/31/18 02:21pm

"Trustworthiness" and "vulnerabilities" are obviously two different things, let's not confuse them.  All software has the potential for vulnerabilities but do you trust the organization is making security an important aspect of their product/solution and therefore will be forthcoming e.g. diligent in finding/making known and patching said vulnerabilities?  When asking these questions (if this is important to you or relevant in your business model) one can only look at past experiences and history.

Undisclosed #3

07/31/18 02:33pm

I don't use Genetec as much as I should, does anyone know if their cloud controller is still running on Windows 7 embedded? Has anyone tried to Konboot one those controllers?

In other news, if you use a Synology NAS for any cctv or other storage deployments, DSM needs to be patched for a vulnerability released yesterday on Synology's website.

https://www.synology.com/en-global/support/security/Synology_SA_18_39

Undisclosed End User #4

In reply to Undisclosed #3 | 07/31/18 03:16pm

Here is the response I got when inquiring with our sales engineer on the SCL, Synergis Cloud Link, OS on May 21, 2018.  I sent a follow up this morning to see if there was and update.  I will let you know what I hear back.  

Here's what I heard back from HQ:

We are still shipping the win 7 version, the version 10 will be only later this year or early next. We have over 2 years of windows support with 7 embedded and we are providing the windows critical update. 

Thibaut Louvet

In reply to Undisclosed #3 | 07/31/18 11:31pm

I am the Director of Access Control Product Group at Genetec.

While the Synergis Cloud Link appliance runs on Windows 7 embedded, there are no known vulnerabilities that affect the appliance. We always recommend keeping the firmware of your field devices updated as frequently as possible. That is why we make firmware upgrades easier by bundling Windows security updates with the Synergis Cloud Link firmware, that can be scheduled, triggered and managed directly from Security Center.

With respect to the concerns around the Kon-Boot vulnerability, an exploit is only likely with physical access to your Synergis Cloud Link appliances but they are designed to only boot from internal interfaces to mitigate this risk. We recommend installing Synergis Cloud Link in a secure cabinet stored in a secure part of your premises.

Avatar

Sean Nelson

Nelly's Security
07/31/18 03:47pm

As predicted, genetec has vulnerabilities, they get praised. Hikvision gets hacked, they are accused of going to war with the usa. Looking forward to more comments like this.

Michael Miller

In reply to Sean Nelson | 07/31/18 03:52pm

How do you not see the difference between how Genetec handled this compared to your beloved Hikvision and Dahua? 

Undisclosed End User #4

In reply to Michael Miller | 07/31/18 03:58pm

He does.  You have to remember his business is built on HIKVision.  He has to be on here to provide counter views to IPVM in order to keep business booming.  He's like the friendly guy that everyone chuckles and says "Haha that's so Sean.  Good ol' Sean."

Avatar

Sean Nelson

Nelly's Security
In reply to Michael Miller | 07/31/18 06:45pm

You have a point. With genetec, you are paying thousands per channel per vulnerability. With hikvision, you are only paying a few dollars. Big difference.

I think it would be a good idea for manufacturers to take note and implement software industry standards and block their integration with Genetec unless the user pays an upcharge. What do u think?

Undisclosed Integrator #6

In reply to Sean Nelson | 07/31/18 06:54pm

I know you are being funny but (perhaps without knowing it) you are right on the money.  If I needed a camera and NVR for my Dog House and didn't care about Chinese human rights issues et al, then Hikvision all day long, customer (being me) makes out.  If I wanted to represent the best in class solution and my customers are willing to pay for that level of quality and assurance then we could go with Genetec and a camera manufacturer that spends more energy on security related concerns.  Just saying.

Undisclosed #12

In reply to Undisclosed Integrator #6 | 08/02/18 02:53am

In my case, I prefer not to have a camera for my dog's house if I think it was built by slaves.

By the way, since there's a lot of companies reselling devices and components made in China factories, is there a way to check facts about Human Rights in those factories?

Undisclosed #2

In reply to Sean Nelson | 07/31/18 04:07pm

As predicted, genetec has vulnerabilities, they get praised. Hikvision gets hacked

Stop and think about what you just wrote for a minute. Genetec proactively hired a pen-test firm, discovered a vulnerability, patched it, and communicated this out before any hacks took place. They did not hide the fact that a vulnerability was discovered.

Hikvision, much unlike Genetec, has suffered a number of hacks, with actual devices being exploited and affected. Hikvision has generally only pushed out communications about these vulnerabilities and hacks when forced to do so, often after IPVM coverage. Hikvision has not in any way taken an approach that inspires confidence or trust in the company.

You statement then is a pretty good summary. One company works proactively to prevent a vulnerability from turning into a hack and gets praised. Another company takes a head-in-the-sand denial approach and gets flamed.

John Honovich

IPVM | In reply to Undisclosed #2 | 07/31/18 04:34pm

Genetec proactively hired a pen-test firm, discovered a vulnerability, patched it, and communicated this out before any hacks took place. 

We have no idea if any hacks took place. For example, if Hikvision's owner, the PRC, found this first, they would have happily used it for as long as they could and not tell anyone. And Genetec serves enterprise customers who have real security concerns so Genetec needs to be on top of these things.

That noted, I do agree about the difference in communication. How many critical vulnerabilities has Hikvision found in production released products that they have fixed but not announced?

Undisclosed #2

In reply to John Honovich | 07/31/18 04:57pm

We have no idea if any hacks took place.

Fair point. Change that to "before any proof of concepts were released publicly".

 

Undisclosed #3

In reply to Undisclosed #2 | 07/31/18 06:48pm

Ethical hacks may have taken place.  :/

 

 

Undisclosed Integrator #1

In reply to Sean Nelson | 07/31/18 04:14pm

I think one of the main differences is, Genetec admitting to a vulnerability BEFORE it was publicly announced.  Also, the fact that they didn't deny it, hide it under an obscure section or claim no responsibility for the vulnerability.  I know you love Hikvision, but come on Sean, even you have to admit this is the way they should handle a vulnerability.

Undisclosed Integrator #11

In reply to Sean Nelson | 08/01/18 01:47pm

If the resources aimed at HIK had been deployed to other manufacturers - this would have been identified earlier along with all of the other golden boys - but that wouldn't help the agenda of IPVM would it? That would require an unbiased, even handed policy that just doesn't sell subscriptions in the same way.

 

Scott Sheldrake

07/31/18 04:25pm

It's nice to see that Genetec hires pen testers. I wonder if this is standard industry practise among the big players, or if this is something unique? 

 

 

John Honovich

IPVM | In reply to Scott Sheldrake | 07/31/18 04:35pm

Scott, not sure if this is 'standard' but quite a number of video surveillance manufacturers are doing this now. What's notable is that Genetec disclosed something. As we mention in the post, often manufacturers want these vulnerabilities quietly fixed and never publicly mentioned.

Scott Sheldrake

In reply to John Honovich | 07/31/18 05:10pm

I don't know how Genetec's pricing structure works, but when we find a bug in Exacq (and there have been some nasty ones in v6.0 and 9.0) it costs money to upgrade.  So Genetic may be looking at this as a profit center and spinning it as a "look at us, we take the high road" scenario. 

I'm not a huge fan of Genetec as they are a closed dealer-only system.  Despite all HIK and Exacq's flaws, at least they don't discriminate against smaller and medium sized companies.  (Ie - with Genetec you can't join the old boys club).  And I'd be willing to bet Genetec has a boatload more bugs that they admit to, but since 1% of the market uses their software nobody cares. 

Security through obscurity.

Avatar

Sean Patton

IPVM | In reply to Scott Sheldrake | 07/31/18 05:36pm

Scott,

Every version of Security Center has been patched with a Cumulative Update, which is available for free for whatever version a customer bought, even if the system is no longer covered by a Genetec Advantage Plan (software maintenance agreement).

Undisclosed Integrator #8

In reply to Scott Sheldrake | 08/01/18 07:42am

Hi Scott,

Speaking as a SMB and a Genetec Partner, the 'closed dealer only system' (partner program) gives us massive payback for investing in the training and certification required when dealing with enterprise systems.

Genetec's control of the partner list ensures the product, services and us as partners are kept at a quality and more importantly a price point.

If we had engineers running about selling and installing Genetec directly, you don't think the price point and quality of install would plummet? No thanks. I'd rather leave the race-to-the-bottom Chinese market installers out of the equation.

$ aside, Genetec look after their partners. We have work regularly pushed our way by Genetec. How many other manufacturers do you know that do that. I don't recall Hikvision ever calling us and saying 'we've got a great project for you guys, here's the number of the client etc...'

No system is without bugs and vulnerabilities, it's all just software after all. It's how they respond to those issues that counts. There's no charge for cumulative fixes. If you keep the SMA running, which is reasonably priced you get free upgrades for all the releases. This is exactly the same as Exacq.

By the way, if you want to install the enterprise products from Exacq, you'll need to join their 'old boys club' too.

Undisclosed Integrator #9

In reply to Undisclosed Integrator #8 | 08/01/18 08:08am

The argument that a closed dealer only system like Genetic is to maintain quality of installations is complete bullshit. 

Dealer only programs (Avigilon, Genetec, Kantech Global) are there to reduce the number of bidders on hard-spec'd tenders and increase profit margins to dealers.  Period.

If Avigilon, Genetec etc were truly concerned with quality of installs then they would simply require extensive and expensive training to become a dealer.  Instead, they choose to lock out medium sized companies to try and keep the old boys fat while the smaller guys (in theory) starve.

Genetec is not saintly for going public with a bug fix.  They're a closed dealer-only company that goes after the top 1% of enterprise customers and has security through obscurity.  It's like saying your Macbook never gets any viruses.  Is that because Apple creates magic bulletproof code, or the fact that Windows owns 95% of the desktop market and is the bigger target.

 

Undisclosed Integrator #13

In reply to Undisclosed Integrator #9 | 09/14/18 01:20pm

We are one of those medium sized companies, who compete very strongly with the "old fat boys".

We do not starve. We have a very high bar for the quality of our finished system installations, which is why Genetec and others you mentioned keep us on their short list as dealers for their top level product offerings.

Genetec, and the others you mentioned do included in their limited list of integrators per territory pretty much all the nationals, which is normal, but they also always have an equal amount of smaller "medium" sized businesses who have invested in their training and make an active effort to promote their products and install their systems using the highest standards of the industry.

Quality matters. Rewarding your dealers for promoting your products and representing your products properly also matters.

Michael Miller

In reply to Undisclosed Integrator #9 | 09/14/18 01:41pm

If Avigilon, Genetec etc were truly concerned with quality of installs then they would simply require extensive and expensive training to become a dealer.  

 

Genetec DOES require extensive and expensive training to become a dealer.

Avigilon does not charge for training.

Having a closed channel that vets integrators before coming to a dealer are important.  I have seen more security companies care more about money than delivering a quality solution to customers.   

Dealer only programs (Avigilon, Genetec, Kantech Global) are there to reduce the number of bidders on hard-spec'd tenders and increase profit margins to dealers. Period.

When I became an Avigilon dealer I had 2 people on staff.  Now I have 20 people and growing monthly.   I also know many other small 2-5 man shops that are very successful selling Avigilon. 

Avatar

Ricardo Souza

IndigoVision Ltd
IPVMU Certified | 07/31/18 05:04pm

Impressive, kudos for Genetec.

Scott Sheldrake

07/31/18 05:11pm

I don't know how Genetec's pricing structure works, but when we find a bug in Exacq (and there have been some nasty ones in v6.0 and 9.0) it costs money to upgrade. So Genetec may be looking at this as a profit center and spinning it as a "look at us, we take the high road" scenario.

I'm not a huge fan of Genetec as they are a closed dealer-only system. Despite all HIK and Exacq's flaws, at least they don't discriminate against smaller and medium sized companies. (Ie - with Genetec you can't join the old boys club). And I'd be willing to bet Genetec has a boatload more bugs that they admit to, but since 1% of the market uses their software nobody cares.

Security through obscurity.

Avatar

Sean Patton

IPVM | In reply to Scott Sheldrake | 07/31/18 05:37pm

Scott,

Each version of Security Center has been patched with a Cumulative Update, which is available for free for whatever version a customer bought, even if the system is no longer covered by a Genetec Advantage Plan (software maintenance agreement).

Christopher Ritter

In reply to Scott Sheldrake | 07/31/18 09:21pm

Scott, I am the Northeast Director of Sales for Genetec and I am not supposed to post on IPVM but I think I can get away with this one. Your comment is completely untrue, we have tons of smaller to medium sized companies as partners, probably more than we have larger ones. We have numerous offerings in our Cloud/Subscription and On-prem solutions to fit any size integrator or end-user yet this is a common misconception in our industry. Please reach out to myself or your local RSM and we would be more than happy to discuss a partnership with Genetec. We would never discriminate and we are built on TRUST!

Scott Sheldrake

In reply to Christopher Ritter | 08/01/18 04:52am

Hey Chris,

Who can we contact in BC Canada to become set up with Genetec?  We've had many tenders where Genetec would have saved us a lot of messing around with Kantech and Exacq.  Is there an RSM here?  Maybe you?

 

Thanks

Avatar

Clint Hays

Rasilient | 07/31/18 06:40pm

Cuddos to Genetec. No software, or human, is flawless. Admit when there's an issue ASAP rather than throwing it in a closet and hiding it.

Undisclosed Manufacturer #7

07/31/18 07:08pm

As a "competitor" to Genetec, I'll say that this is absolutely the correct approach.  Vulnerabilities are to be expected, as what was secure yesterday might not be tomorrow.  A proactive (and public) methodology to addressing these types of issues will always instill a higher level of confidence with your customer base.

Avatar

Peter Pavlov

07/31/18 09:34pm

I always prefer to be aware of a vulnerability and how to address it. If the manufacturer quietly addresses it and just includes the fix in the next release, then there open the door for end-users to skip an update they deem not critical(since they don't know it will fix a major vulnerability) and expose them to an attack. As noted in the previous comments the fix is also provided for systems with expired SMA and clearly shows Genetec is not trying to monetize the issue. In those cases, the quiet fix in the next release will not address the issue either.  

Avatar

Jon Dillabaugh

Pro Focus LLC
07/31/18 09:59pm

Good thing they blocked Hikvision, for safety sake and all. 

Undisclosed #2

In reply to Jon Dillabaugh | 07/31/18 10:33pm

Probably wouldn't have happened if Hikvision had handled any one of their numerous easily exploited vulnerabilities in as straightforward a manner.

Avatar

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed #2 | 07/31/18 10:42pm

Point taken. Kind of like opening a source code center for government authorities to inspect the source code used in their products? That didn’t receive much acclaim, did it. 

Honestly, there isn’t much Hikvision could do to endear much support around here. They are dead man walking no matter what. 

Undisclosed #2

In reply to Jon Dillabaugh | 07/31/18 10:50pm

That didn’t receive much acclaim, did it.

No, it didn't because it was a bullshit PR move, not an authentic gesture. And, if Hikvision had been upfront and professional about their numerous vulnerabilities they probably wouldn't have needed to dangle out the bullshit "source code center" to try and appear competent and trustable.

 

Undisclosed Integrator #11

In reply to Jon Dillabaugh | 09/14/18 02:10pm

Careful Jon - you'll be branded "un-patriotic" and have the wrath of Trump descend upon you by the IPVM lemmings.

 

Edward Knoch

08/01/18 04:50am

 I think that this admission shows that they truly do care about their reputation and want to ensure the protection of their customers data privacy. Unlike some vendors that obfuscate, cajole, humiliate and outright deny their vulnerabilities so that they can get more sales. 

There was a time that disclosure didn't ruin a company  - it enhanced the trust of the firm. Instead of lambasting Genetec, we should be applauding them on their transparency - I don't even sell the product. 

Hats off to you Genetec.

 

 

Avatar

Joseph Marotta

IPVMU Certified | 11/10/18 07:02pm

It seems the link to the CVSS Base Score Calculator isn't working. Is it just me?

John Honovich

IPVM | In reply to Joseph Marotta | 11/11/18 01:51pm

Joseph, the link provided (https://www.first.org/cvss/calculator/3.0) does work for me.

Avatar

Sean Patton

IPVM | 07/10/19 06:16pm

Genetec self-disclosed another vulnerability, related to a potential blank password tied to a default admin account: Media Gateway Vulnerability. It is scored a CVSS v3.0 base score of 7.5 (High) because RTSP can be used to gain unauthorized access to any camera's live or stored video.

About this latest vulnerability, Genetec told IPVM:

The vulnerability was found in an early version of Security Center 5.8 prior to its release by the pentesters we hired.  Since the default user used for the Media Gateway is the same default user present in Security Center upon installation (aka the Admin user) it was believed that the mandatory password change in the Installer Assistant upon first connection in the Config Tool would also change the password in the Media Gateway. This assumption was false and is the root cause of the issue.

The Media Gateway is not a role created by default in Security Center. A user manually creating Media Gateway role and following the steps detailed in the Administrator Guide wouldn’t have had any issue (we are however updating our hardening guide just to be sure). The real problem arises when a user creates a Web Client role, as this automatically also creates a Media Gateway role that the user may not be aware that s/he created. We can’t expect users to be aware of this, and that is reason why an advisory was published.

Naturally, the worst case scenario was assumed in the announcement but it is not easy to exploit: the hacker still has to discover the unique hexadecimal number (called Guid) for each camera they wants to access via the RTSP interface.

The Genetec GUID is a group of hexadecimal numbers that often includes the MAC address of the device (in this example an Axis camera's GUID):

Undisclosed #5

IPVMU Certified | In reply to Sean Patton | 07/10/19 11:08pm

The vulnerability was found in an early version of Security Center 5.8 prior to its release by the pentesters we hired.

prior to it’s release?  was it released anyway?

if never released, how was anyone vulnerable?

Avatar

Sean Patton

IPVM | In reply to Undisclosed #5 | 07/11/19 03:45am

The vulnerability is not present in any releases in 5.8, it was found during 5.8 pen-testing during development but is present in 5.6 and 5.7 (up to SR6) if using the Web Client Server. Genetec testing/QA/development missed the vulnerability for 2+ years.

Here is the matrix of affected products:

Undisclosed #5

IPVMU Certified | In reply to Sean Patton | 07/11/19 02:57am

...it is not easy to exploit: the hacker still has to discover the unique hexadecimal number (called Guid) for each camera they wants to access...

from the internet, not easy.  from the LAN, easy.

 

Undisclosed Manufacturer #14

In reply to Undisclosed #5 | 07/11/19 12:58pm

"from the internet, not easy. from the LAN, easy."

If you have a hacker on your LAN you have bigger issues no?

 

Undisclosed #3

07/10/19 06:24pm

Its cool that they told on themselves by advising and releasing the vulnerability however I would like to know one thing. Who got fired for this? Sounds like creating one role automatically initiates the creation of the Media Gateway role (RDP 3389 login, lol). 

Jetson!  You're Fired!

Read this IPVM report for free.

This article is part of IPVM's 6,814 reports, 914 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports