Critical *************
******* ****** *** ************* had * **** **.* base ***** ** *.* (Critical).********* ** *** **** Base ***** **********, * **** *.* score ********* **** ********* network ******, ** ***********, and * *** ********** of ******.
***********, ******* ****:
**** ************* ******* ******** Center ******* ** ******** received **** *** *******. An ******* *** ** achieved **** ****** *** attacker ** *** ************* in ******** ******. *** exploit ***** ***** *** execution ** ********* **** and **** ******* ** the ********* ****** ******* the ******** ****** ****.
*** ************* *** ********** in ******** ****** *.* (released ~****) **** ************* could **** **** ********* for * ***** ****** it *** **********. ******* says **** **** ** reports ** ******* *** that **** ********** ** recently **** * "***** party ************ ***** ** Genetec ** ******* *********** tests" ******** ** ** them.
No ************* *******
*******'* ********** **** *** include ********* ******* *** a ***** ** ******* exploiting *** *************. **** is ******** *** *************** discovered *** ******** ** independent ******** *********** (*.*.,**** ************* *********).
A **** ****-**********
*********, ** * ******** such ** *******'*, ***** they **** *** *********** tester, *** ************* ***** be ******* *******, **** no ****** ****** *** the ****** ***** ** NDA ******* **** **** public *******, ********* ** various **** *******.
** ** **** *** companies ** ****-******** ** Genetec ***, ** ******* instance ************* ********* * ******* password ***************** ****. *********'* ********** was * **** ***** level ******** *****, **** affecting **, ********* *** Express, *** *** ********* control ** *** ********* system ** *** ******. It **** *** *** require * ******** ******, just ******** *** ******* user ** ******** *** password ** *** *******.
******* ** ** ** rare *** ************* ** self-disclose, ** * ********** ****** ** ********** Responsibility, *********** ********* **** would *** ***** ************* to ****-******** ******** ******.
Notification *****
******* **** ** ***** that ********* *** **** information ** *** ********** on ***** *******.
No ******* *********
******* ********* ** **** why **** *** *** sharing **** *******:
** ****** ** ******** the ************* ******** ** maximize *** ******* **** our ********* ****** ***** of ** *** ***** the *******. ** ** also ** **** **** the ************* ********** **** practices ********* ******* ** the ******** ********.
** ** ********** *** case ** ********, ******** what ** ******** ** that ******** *** * trade-off. **** **** ******** we ******* ** ****** the ***** ******* ******* disclosing ****** ******* ** that *** ******** *** conduct ***** *** **** assessment *** ***** *** patches ********* ** ***** own **** ********* ***** at *** **** **** avoiding ******* ******* ** providing ****** ******* ** that **** *** ***** exploit **** *** *** disclosed *************.
Patch ** *********
*******'* **** ***** *** Service *******/********** ****** ***** required *** **** ******* of ******** ******, *** recommends ******** *********** ** removing ******* ******* ****** to *** ******. ***** that **** ******* ******* are ******** ** ********** multi-site, *****-******** ************, ******** outside ******* ****** ***** essentially ******* *** ********* of ***** *******. ** such, ******** ******** ********* upgrades.
Criticism ** ******* *************
******* *** **** **** vocal ***** ************* ********, specifically ******* *************, **** notably ** ********* ********* / ************ Hikvision *** ****** *******, ****** ******** ***** their ******* ********** ******* and**** ** ******* ***** *********. ******* would ****** ***** ** the **** **** **** disclosed **** **** **** were *** ****** ** do ** ** * sign ** ***** *** trustworthiness.
*******, ***********, ********* *** Huawei ********** **** ***** out *******'* *** ******** vulnerability ** ***** **** any ************ ** ******* likely ** **** ***************.
Poll / ****

Comments (56)
bashis mcw
Excellent! That's how it should be done!
Create New Topic
Undisclosed Integrator #1
I like the move by Genetec. I think it's fine that they're not fully explaining the vulnerability either. Why give low grade hackers a blueprint on how to exploit systems? I think telling the public that there is a vulnerability, a fix and please update is a good move.
Create New Topic
Undisclosed #2
I am not surprised that Genetec did not disclose details of an exploit or proof of concept. Those things are often done by researchers as a way to prevent the affected company from claiming the issue is "very complex to execute" or "only affecting certain products", and similar excuses. Proof of concept works allow users to verify if their systems are affected, and judge for themselves the technical complexities if the manufacturer does not respond or tries to spin the issue.
In this case Genetec is openly admitting the vulnerability, issuing a patch, and disclosing which products/versions are affected. Releasing a proof of concept would only put customers at undue risk at this point.
Create New Topic
Greg Hussey
"Trustworthiness" and "vulnerabilities" are obviously two different things, let's not confuse them. All software has the potential for vulnerabilities but do you trust the organization is making security an important aspect of their product/solution and therefore will be forthcoming e.g. diligent in finding/making known and patching said vulnerabilities? When asking these questions (if this is important to you or relevant in your business model) one can only look at past experiences and history.
Create New Topic
Undisclosed #3
I don't use Genetec as much as I should, does anyone know if their cloud controller is still running on Windows 7 embedded? Has anyone tried to Konboot one those controllers?
In other news, if you use a Synology NAS for any cctv or other storage deployments, DSM needs to be patched for a vulnerability released yesterday on Synology's website.
https://www.synology.com/en-global/support/security/Synology_SA_18_39
Create New Topic
Sean Nelson
07/31/18 03:47pm
As predicted, genetec has vulnerabilities, they get praised. Hikvision gets hacked, they are accused of going to war with the usa. Looking forward to more comments like this.
Create New Topic
Scott Sheldrake
It's nice to see that Genetec hires pen testers. I wonder if this is standard industry practise among the big players, or if this is something unique?
Create New Topic
Ricardo Souza
IPVMU Certified | 07/31/18 05:04pm
Impressive, kudos for Genetec.
Create New Topic
Scott Sheldrake
I don't know how Genetec's pricing structure works, but when we find a bug in Exacq (and there have been some nasty ones in v6.0 and 9.0) it costs money to upgrade. So Genetec may be looking at this as a profit center and spinning it as a "look at us, we take the high road" scenario.
I'm not a huge fan of Genetec as they are a closed dealer-only system. Despite all HIK and Exacq's flaws, at least they don't discriminate against smaller and medium sized companies. (Ie - with Genetec you can't join the old boys club). And I'd be willing to bet Genetec has a boatload more bugs that they admit to, but since 1% of the market uses their software nobody cares.
Security through obscurity.
Create New Topic
Clint Hays
Cuddos to Genetec. No software, or human, is flawless. Admit when there's an issue ASAP rather than throwing it in a closet and hiding it.
Create New Topic
Undisclosed Manufacturer #7
As a "competitor" to Genetec, I'll say that this is absolutely the correct approach. Vulnerabilities are to be expected, as what was secure yesterday might not be tomorrow. A proactive (and public) methodology to addressing these types of issues will always instill a higher level of confidence with your customer base.
Create New Topic
Peter Pavlov
I always prefer to be aware of a vulnerability and how to address it. If the manufacturer quietly addresses it and just includes the fix in the next release, then there open the door for end-users to skip an update they deem not critical(since they don't know it will fix a major vulnerability) and expose them to an attack. As noted in the previous comments the fix is also provided for systems with expired SMA and clearly shows Genetec is not trying to monetize the issue. In those cases, the quiet fix in the next release will not address the issue either.
Create New Topic
Jon Dillabaugh
07/31/18 09:59pm
Good thing they blocked Hikvision, for safety sake and all.
Create New Topic
Edward Knoch
I think that this admission shows that they truly do care about their reputation and want to ensure the protection of their customers data privacy. Unlike some vendors that obfuscate, cajole, humiliate and outright deny their vulnerabilities so that they can get more sales.
There was a time that disclosure didn't ruin a company - it enhanced the trust of the firm. Instead of lambasting Genetec, we should be applauding them on their transparency - I don't even sell the product.
Hats off to you Genetec.
Create New Topic
Joseph Marotta
It seems the link to the CVSS Base Score Calculator isn't working. Is it just me?
Create New Topic
Sean Patton
Genetec self-disclosed another vulnerability, related to a potential blank password tied to a default admin account: Media Gateway Vulnerability. It is scored a CVSS v3.0 base score of 7.5 (High) because RTSP can be used to gain unauthorized access to any camera's live or stored video.
About this latest vulnerability, Genetec told IPVM:
The Genetec GUID is a group of hexadecimal numbers that often includes the MAC address of the device (in this example an Axis camera's GUID):
Create New Topic
Undisclosed #3
Its cool that they told on themselves by advising and releasing the vulnerability however I would like to know one thing. Who got fired for this? Sounds like creating one role automatically initiates the creation of the Media Gateway role (RDP 3389 login, lol).
Jetson! You're Fired!
Create New Topic