High severity vulnerability affecting the Hardware Inventory Task of Security Center

A high-severity vulnerability that can lead to a full compromise of the system hosting the SQL database was found in the Genetec Security Center product line. This vulnerability was discovered internally by the Genetec engineering team. There is currently no evidence of this vulnerability being exploited otherwise.

Risk Assessment  

This vulnerability (CVE-2023-1522) affects the Hardware Inventory Report section of Security Center 5.11.2. An attacker who successfully exploits this vulnerability may be able to execute any SQL query on any database hosted on the Microsoft SQL server used by the Genetec Directory, as well as run system commands with administrative privileges on its underlying operating system. The CVSS v3.1 base score for this vulnerability is 8.5 (High). 

Details 

The Hardware Inventory Report is a page that is accessible through the Genetec Security Desk and Config Tool client applications and allows an authenticated/authorized user with the inventory management privileges to list available hardware based on a list of filters. Due to a lack of proper sanitization on the backend service, an attacker can bypass the client-side protection and craft a malicious payload to send arbitrary SQL queries to the system through this task. 

Recommendation 

Customers running Security Center 5.11.2 should update the Security Center servers hosting the Directory service to version 5.11.2.1 or newer as soon as possible.

Workarounds 

If the Security Center instance cannot be updated in a timely fashion, the system administrator should remove the Hardware Inventory Task privilege from all users until the patch is applied. 

Affected Products 

Product	Affected	Patch Release Version
Security Center 5.11.2	Yes	5.11.2.1
All other Security Center versions	No	N/A
Other Genetec products	No	N/A

For more information or assistance, please log in to the Genetec Technical Assistance Portal (GTAP) to open a support case.