Warning: Windows 7 Update Crashing NVRs

Published Aug 26, 2019 17:42 PM

Windows 7 updates are causing VMS servers to fail to boot.

After running the update, impacted systems do not boot as normal, instead display this warning screen:

Windows 7 Update Crashing NVRs

In this note, we examine:

  • Which systems are impacted
  • What is causing the issue?
  • Vendor recommendations to fix
  • Dahua and Hikvision not impacted
  • End-of-Life Win 7 is coming
  • Is this a win for VSaaS?

The Problem

IPVM has received multiple reports of Windows 7 and Windows Server 2008R2 systems that will no longer boot after installing Microsoft 8/2019 Security update 'KB4512506 Security Monthly Quality Rollup'.

The problem occurs because this update uses now required SHA-2 signing, but mistakenly assumes the embedded OS servers and NVRs have been upgraded from SHA-1, which is not the case for many systems.

One site gave this explanation:

It looks like Microsoft forgot to make this update available for Windows 7 Embedded OS which installs the ability to use SHA-2 code signing.

As soon as the Aug 2019 security rollup update is installed, " KB4512506 " upon reboot, the OS indicates "Windows cannot verify the digital signature for this file " which of course is caused by the lack of the SHA-2 code sign support. I've had two NVR's go down due to this issue.

Below, we cover the impacted security vendors and how to fix the issue.

Impacted ******* ****

**** *** **** ** ********* ******* with * ****** ** ******* ** this *****. ******* ****** ******* *****, with **** ************ **** ******* ** calls *** ** *** ******, ***** others *** ********* ****:

  • ********:[******] ******** *** ********* **** **** have *** **** ****** ** *** field **** ***** *******, *** ** a ******* *****, *** **********. **** machines *** ** ****** ******* ******** versions ** *******.
  • ******* ********: [******]** *** ********* **** * **** instruction*** *** ***** ** *** ** reimage ** ** *** * ********* Series *********.***** **** ******* **** ************ ********* that ** ******* ** ***** ** the *******, *** ******* *** *** responded ** ****. ** **** ****** when **** **.
  • *****:** ***** ** **** **********, ***** *** ****** * ****** at *** *** ** ***** **** and ************** ****** ************.
  • *********: ** ********* *********, *** **** us **** **** *** **** ******** of *** ******** ******* ** *** US. ********* ** ******* *** *** yet *********.
  • *******: *** ******* ****** ******** ****** via ***** ******* ****** *** ******** dealers ** **** *** ********* ******* 'until ******* ******'.
  • ***: *** ****** ****** ******** *** issue ** * **** ****** ***** warning **** *****,****** **! *********.*** ******* * *** 6*** ****** ********.

*******, ***** ***** *** **** ***** be ********, ** ****. ** **** update **** **** ** ***** ******** vendors *** *****.

Not ***** *** *********, *****, *** ***** ***** ****/*******

*************, *** ***** ** **** ***** only ******* ***** ******* ** ******** and ****.

********** ******** ******* ********* **** ***** and *********, *** ******* ******* ***** an ******** ******* ** *****.

Fix: ******* *** * ** ******** ********

** **** *****, ******** ******* *** recommending ******* ****** *** ***** ** reimaging *** *** * ** ** a ******** *******.

*** ****** ******* ****** ***** ** the ****** *****/*********** ****, *** *** process ********* ******** ******* ** ******** a '******** *******' *** **** ** a *** *****, **** ********** ** each ******** *** ** *** ***** and ******** *** ***.

Security ****** ********

******* ******** ******* **** ******** ******** notices *** ******** ***** *** *****.

*** *******, ***** *** ****** ******** ****** ** *** *** ** their ****:

******* **** ****** ******** ****** *** their ******* ******:

** ******** ** *** ******** ******, Genetec **** ********* ** ****:

"** ***** ** ********** *** **, this ** ********* **-*** **/**/** ****. SV-PRO **/** *** ********** ***, *** we *** **** ***** **** **** and ****** *** ******** **********."

[******] ******* ******** ************ **** * **** ************** *** ***** ** *** ** reimage ** ** *** * ********* Series *********.

Undiscovered ********

**********, **** ******** ******* *** **** undetected ******. ***** **** ************ ******* (especially ******* ******* ***** ******** **** are ********) *** *** ******** *********, many ******* *** *** ****** ***** recorded ******* ** ******.

***** ******** ****** ******* ***, **** ** ****** ** ****** in ************ ******:

* ***** ** ******* ** *** that **** ******* *** ***** **** be **** *** ****, ***** *** maybe **** ****** ****** ****** *******. Many ***** ******** *** ********** **** check ***** ******* **** *****'* * problem. **** ******* ** *****'* * significant ***** *** **** **** *** the ****** *** **** **** *** days ** ******?

Corrective ******: "**** *** ********* *******"

** ******* ****** ********, ******* *** telling ********** ** ******* ****** ********* Win * *******.

*******, **** ********** **** ****** *** systems ********** ** ******* * ******** threats *** ****** **** ********* ******* known *****.

Win * ***-**-*****, ******* ****** **** ****

*** ******* ** *********** ** *** official *** ** ******* ********** * ** ******* ****.

**** ** ******* ******* **** ** 2009, ******* **** *** ******* ******* security ******* ***** ******* ****, **** for '******* ******** ******** *'. *** company ****** ** ************ * ********* *****:

********* **** * ********** ** ******* 10 ***** ** ******* ******* *** Windows * **** ** *** ******** on ******* **, ****. **** **** 10-year ****** ****, ********* **** *********** Windows * ******* ** **** ** can ***** *** ********** ** ********** newer ************ *** ***** *** ***********.

** **** **** **** *******, ******** NVRs *** ******* ******* *** ******** OS **** ********** **** ** ******* operating *******, ** ** ********, ****** the **** **** **** ******* *********** equipment.

Impact ** *******

************* *** ******** *******, ******** ******* limited.

**** ****** ******** ******* **** '** response' ******** ******* ****** ************, ******* *** ********* ******* ************** to *** *** ******* ** **********.

******* ******* ** **** ****** **** tell *** **** *** '******* ****** on *** *** ****' *** **** 'We *** ****** ***** ** **** manhours' ********* ******* ******.

*** ******** ****** ********* ************ ****** ** ***** ********* ******** machines:

* **** ***** **** ** *** weekend ********* ******** ****. *** ******* based ** ****** ****** **** *** easiest ** ******. * ****** ******* typed ** ****** ****** *** ** a ****** ** **** **** *** updates. *** ******* * ******** ***** weren't ** ****. **** ********* *** to ** ******** ** *** ** the *** ********* ****** **** ***** operate. **** ***** *********** *** **** updates (***** *** **** **** ******* the *******) *** ********* **** ** their ******.

***** *** ********* *** **** *** impacted ** ********, ** ** *** expect ******* ** ****** *********** ********** resources ** *** *****.

A *** *** *****?

****** ***** ******* *** ***** ** argue **** ** * **** ************* for ***** **** *** *** ****** to ***** ***** **** **** ** crisis.

*******, *** **** ****** *** **** Windows * *** ** **** *** also ****** *** ***** ** ** happy ** *** ******* **** *** upgrade ***** ** **** *** ********* be ******* *******.

******* **** ******* ******* **** ***** a *********** ********* ****** ** *** is '* ****** ***** ** *******', *** ** ****** ****** **** this ******** ******* *********.

Comments (7)
JV
John Vilot
Aug 26, 2019

**** **** ******** ** ** (*** the ****** **** ** *** **** year) ******* **** ****** ******* ** a ******* * ******* (**** ***** NVR). * ** *** *** ********* updates *** ** ******** ******* ******* from **** ** ****. *************, *** only *** ** ****** **-******* *** machine **** ***** **** **** **** support.

(5)
(1)
UI
Undisclosed Integrator #1
Aug 26, 2019

** **** ** ******** **** ***** or **** ****?

Avatar
Brian Rhodes
Aug 26, 2019
IPVMU Certified

************** ****** ******* **** ********.

**** ****, ** ********* ** *** Embedded ******* **** ** **** *** affected.

(1)
Avatar
Brian Rhodes
Aug 26, 2019
IPVMU Certified

[******]DW ********

******* ******** ************ **** * **** ************** *** ***** ** *** ** reimage ** ** *** * ********* Series *********.

**** ***** *******, ** **** ********* turning *** ********* ******* ** ******* similar ******:

** *** ********* ***, ******* ******* were *** ********* ** ******** *** install ************* **** *** ******* *** to *** ********** *** ********** ****** the ******* ******* *** ***** ** the *********** ** *** ****** *** DW ********.

(1)
DD
Dan Droker
Aug 27, 2019
LONG Building Technologies • IPVMU Certified

** *** **** ****** **** **** for ******* ****** (*** ****, ***** uses *****) *** ***** ******* ****** (DSSRV2 ******).

(1)
Avatar
Ethan Ace
Aug 28, 2019

******: ******** *** ********* **** **** have *** **** ****** ** *** field **** ***** *******, *** ** a ******* *****, *** **********. **** machines *** ** ****** ******* ******** versions ** *******.

(1)
UI
Undisclosed Integrator #2
Sep 03, 2019

***** **** ** *** ********** ******** in ** ** *’** ****** *** cynical *** * ***** ********* *** this ** ******* ** ***** **** to ******* ** ******* ** ** Server ****. ** ** *** **** this ***** ** ***** *** **-******* Windows *; ** ***** ******* ******* 10 ** ****** ****.

(1)