Warning: Windows 7 Update Crashing NVRs
Windows 7 updates are causing VMS servers to fail to boot.
After running the update, impacted systems do not boot as normal, instead display this warning screen:
In this note, we examine:
- Which systems are impacted
- What is causing the issue?
- Vendor recommendations to fix
- Dahua and Hikvision not impacted
- End-of-Life Win 7 is coming
- Is this a win for VSaaS?
The Problem
IPVM has received multiple reports of Windows 7 and Windows Server 2008R2 systems that will no longer boot after installing Microsoft 8/2019 Security update 'KB4512506 Security Monthly Quality Rollup'.
The problem occurs because this update uses now required SHA-2 signing, but mistakenly assumes the embedded OS servers and NVRs have been upgraded from SHA-1, which is not the case for many systems.
One site gave this explanation:
It looks like Microsoft forgot to make this update available for Windows 7 Embedded OS which installs the ability to use SHA-2 code signing.
As soon as the Aug 2019 security rollup update is installed, " KB4512506 " upon reboot, the OS indicates "Windows cannot verify the digital signature for this file " which of course is caused by the lack of the SHA-2 code sign support. I've had two NVR's go down due to this issue.
Below, we cover the impacted security vendors and how to fix the issue.
Impacted ******* ****
**** *** **** ** ********* ******* with * ****** ** ******* ** this *****. ******* ****** ******* *****, with **** ************ **** ******* ** calls *** ** *** ******, ***** others *** ********* ****:
- ********:[******] ******** *** ********* **** **** have *** **** ****** ** *** field **** ***** *******, *** ** a ******* *****, *** **********. **** machines *** ** ****** ******* ******** versions ** *******.
- ******* ********: [******]** *** ********* **** * **** instruction*** *** ***** ** *** ** reimage ** ** *** * ********* Series *********.***** **** ******* **** ************ ********* that ** ******* ** ***** ** the *******, *** ******* *** *** responded ** ****. ** **** ****** when **** **.
- *****:** ***** ** **** **********, ***** *** ****** * ****** at *** *** ** ***** **** and ************** ****** ************.
- *********: ** ********* *********, *** **** us **** **** *** **** ******** of *** ******** ******* ** *** US. ********* ** ******* *** *** yet *********.
- *******: *** ******* ****** ******** ****** via ***** ******* ****** *** ******** dealers ** **** *** ********* ******* 'until ******* ******'.
- ***: *** ****** ****** ******** *** issue ** * **** ****** ***** warning **** *****,****** **! *********.*** ******* * *** 6*** ****** ********.
*******, ***** ***** *** **** ***** be ********, ** ****. ** **** update **** **** ** ***** ******** vendors *** *****.
Not ***** *** *********, *****, *** ***** ***** ****/*******
*************, *** ***** ** **** ***** only ******* ***** ******* ** ******** and ****.
********** ******** ******* ********* **** ***** and *********, *** ******* ******* ***** an ******** ******* ** *****.
Fix: ******* *** * ** ******** ********
** **** *****, ******** ******* *** recommending ******* ****** *** ***** ** reimaging *** *** * ** ** a ******** *******.
*** ****** ******* ****** ***** ** the ****** *****/*********** ****, *** *** process ********* ******** ******* ** ******** a '******** *******' *** **** ** a *** *****, **** ********** ** each ******** *** ** *** ***** and ******** *** ***.
******* ******** ******* **** ******** ******** notices *** ******** ***** *** *****.
*** *******, ***** *** ****** ******** ****** ** *** *** ** their ****:
******* **** ****** ******** ****** *** their ******* ******:
** ******** ** *** ******** ******, Genetec **** ********* ** ****:
"** ***** ** ********** *** **, this ** ********* **-*** **/**/** ****. SV-PRO **/** *** ********** ***, *** we *** **** ***** **** **** and ****** *** ******** **********."
[******] ******* ******** ************ **** * **** ************** *** ***** ** *** ** reimage ** ** *** * ********* Series *********.
Undiscovered ********
**********, **** ******** ******* *** **** undetected ******. ***** **** ************ ******* (especially ******* ******* ***** ******** **** are ********) *** *** ******** *********, many ******* *** *** ****** ***** recorded ******* ** ******.
***** ******** ****** ******* ***, **** ** ****** ** ****** in ************ ******:
* ***** ** ******* ** *** that **** ******* *** ***** **** be **** *** ****, ***** *** maybe **** ****** ****** ****** *******. Many ***** ******** *** ********** **** check ***** ******* **** *****'* * problem. **** ******* ** *****'* * significant ***** *** **** **** *** the ****** *** **** **** *** days ** ******?
Corrective ******: "**** *** ********* *******"
** ******* ****** ********, ******* *** telling ********** ** ******* ****** ********* Win * *******.
*******, **** ********** **** ****** *** systems ********** ** ******* * ******** threats *** ****** **** ********* ******* known *****.
Win * ***-**-*****, ******* ****** **** ****
*** ******* ** *********** ** *** official *** ** ******* ********** * ** ******* ****.
**** ** ******* ******* **** ** 2009, ******* **** *** ******* ******* security ******* ***** ******* ****, **** for '******* ******** ******** *'. *** company ****** ** ************ * ********* *****:
********* **** * ********** ** ******* 10 ***** ** ******* ******* *** Windows * **** ** *** ******** on ******* **, ****. **** **** 10-year ****** ****, ********* **** *********** Windows * ******* ** **** ** can ***** *** ********** ** ********** newer ************ *** ***** *** ***********.
** **** **** **** *******, ******** NVRs *** ******* ******* *** ******** OS **** ********** **** ** ******* operating *******, ** ** ********, ****** the **** **** **** ******* *********** equipment.
Impact ** *******
************* *** ******** *******, ******** ******* limited.
**** ****** ******** ******* **** '** response' ******** ******* ****** ************, ******* *** ********* ******* ************** to *** *** ******* ** **********.
******* ******* ** **** ****** **** tell *** **** *** '******* ****** on *** *** ****' *** **** 'We *** ****** ***** ** **** manhours' ********* ******* ******.
*** ******** ****** ********* ************ ****** ** ***** ********* ******** machines:
* **** ***** **** ** *** weekend ********* ******** ****. *** ******* based ** ****** ****** **** *** easiest ** ******. * ****** ******* typed ** ****** ****** *** ** a ****** ** **** **** *** updates. *** ******* * ******** ***** weren't ** ****. **** ********* *** to ** ******** ** *** ** the *** ********* ****** **** ***** operate. **** ***** *********** *** **** updates (***** *** **** **** ******* the *******) *** ********* **** ** their ******.
***** *** ********* *** **** *** impacted ** ********, ** ** *** expect ******* ** ****** *********** ********** resources ** *** *****.
A *** *** *****?
****** ***** ******* *** ***** ** argue **** ** * **** ************* for ***** **** *** *** ****** to ***** ***** **** **** ** crisis.
*******, *** **** ****** *** **** Windows * *** ** **** *** also ****** *** ***** ** ** happy ** *** ******* **** *** upgrade ***** ** **** *** ********* be ******* *******.
******* **** ******* ******* **** ***** a *********** ********* ****** ** *** is '* ****** ***** ** *******', *** ** ****** ****** **** this ******** ******* *********.
** **** ** ******** **** ***** or **** ****?
************** ****** ******* **** ********.
**** ****, ** ********* ** *** Embedded ******* **** ** **** *** affected.
[******]DW ********
******* ******** ************ **** * **** ************** *** ***** ** *** ** reimage ** ** *** * ********* Series *********.
**** ***** *******, ** **** ********* turning *** ********* ******* ** ******* similar ******:
** *** ********* ***, ******* ******* were *** ********* ** ******** *** install ************* **** *** ******* *** to *** ********** *** ********** ****** the ******* ******* *** ***** ** the *********** ** *** ****** *** DW ********.
** *** **** ****** **** **** for ******* ****** (*** ****, ***** uses *****) *** ***** ******* ****** (DSSRV2 ******).
******: ******** *** ********* **** **** have *** **** ****** ** *** field **** ***** *******, *** ** a ******* *****, *** **********. **** machines *** ** ****** ******* ******** versions ** *******.
***** **** ** *** ********** ******** in ** ** *’** ****** *** cynical *** * ***** ********* *** this ** ******* ** ***** **** to ******* ** ******* ** ** Server ****. ** ** *** **** this ***** ** ***** *** **-******* Windows *; ** ***** ******* ******* 10 ** ****** ****.
**** **** ******** ** ** (*** the ****** **** ** *** **** year) ******* **** ****** ******* ** a ******* * ******* (**** ***** NVR). * ** *** *** ********* updates *** ** ******** ******* ******* from **** ** ****. *************, *** only *** ** ****** **-******* *** machine **** ***** **** **** **** support.