.NET security vulnerability (hotfixes for 2016 R1 - 2018 R1)

MOBOTIX HUB
1

CAUSE

The Recording Server, Management Server and Management Client in XProtect® (Corporate, Expert, Professional+, Express+, Essential+) use an exploitable .NET Framework Remoting deserialization level. Elevation of Privileges and/or Denial-of-Service are possible if the affected ports are exposed.

Hotfixes have been released for versions 2016 R1 (10.0a) through 2018 R1 (12.1a) and the issue is fixed permanently in 2018 R2 (12.2a) .

Systems running an XProtect version older than 2016 R1 must upgrade to the 2016 R1 product version or later and apply the relevant patch to mitigate this vulnerability. It is recommended to install the hotfixes if you use any of the affected XProtect products.

For more information (list of ports, etc.), check KB 4218 , “XProtect®: .NET security vulnerability.”

Important: Please note that only XProtect products from the C-code group are affected: Corporate, Expert, Professional+, Express+, Essential+. The E-code products (Professional, Express) are not affected.

STEPS TO APPLY THE HOTFIX

Important: By following this procedure you will minimize downtime during the upgrade. The standard upgrade procedure will work, but keep in mind that the Recording Server(s) will not work until they are upgraded .

1. Installing hotfixes on an existing XProtect installation

Rolling out the hotfixes must be done in the correct order to minimize possible downtime:

  1. Patch all Recording Servers (requires a restart of each server). Don’t forget to apply the patch also to the Failover Recording Server as well, if you are using one.
  2. Patch the Management Server (requires a restart of each server).

Note: There also is a patch for the Management Client.

Important: Any Recording Server older than 2016 R1 will effectively stop working after the Management Server has been patched!

Note: When you apply the patches, the process involves the following steps:
a) create a backup of the original DLL file in a certain folder, then
b) copy the hotfixed DLL to the same folder.
When performing these steps, make sure to:
a) move the original DLL file out of its folder to another location (instead of renaming it right in the same folder), and then
b) un-block the new hotfixed DLL once it is copied in place (right-click the DLL file → Properties → check if the “Unblock” option is available).

2. Installing hotfixes when upgrading an XProtect installation

When moving to the next release of XProtect, the normal procedure is to upgrade the Management Server and then to upgrade the Recording Servers when suitable so that the Recording Servers run in compatibility mode and video remains available during the process.

Compatibility mode will not work when upgrading an un-patched system to 2018 R2. After upgrading the Management Server, Recording Servers will not be able to communicate with the Management Server until they are patched. Consequently, Recording Servers should be patched first when upgrading to 2018 R2.

The upgrade path for 2018 R2 is as follows:

  • If the system is already patched, then the normal upgrade procedure will work.

  • If the system is not patched:

  1. Patch all Recording Servers (requires a restart of each server). Patch also the Failover Recording Server(s).
  2. Upgrade the Management Server.
  3. Upgrade the Recording Server(s).

(Again, a reminder: the standard upgrade procedure will work, but note that the Recording Server(s) will not work until they are upgraded .)

Note: Installing the hotfix will typically take no longer than 10 minutes per server.
Installation times may vary depending on how long it will take the servers to restart.

RESOLUTION

Issue is fixed in 2018 R2 (12.2a) .

Versions of XProtect from 2016 R1 (10.0a) to 2018 R1 (12.1a) should use the provided hotfixes. You can access each hotfix (for 2016 R1, 2016 R2, 2016 R3, 2017 R1, 2017 R2, 2017 R3, 2018 R1) from the Download hotfix link below.

Also note that the hotfixes are part of the Cumulative Patches for 2017 R3 and 2018 R1 which are accessible from the following KBs:

  1. KB 4219 , “XProtect 2017 R3 cumulative patch installers (for Management Client, Management Server, and Recording Server).”
  2. KB 4220 , “XProtect 2018 R1 cumulative patch installer (for Management Server, Management Client, and Recording Server).”

If you have already installed the cumulative patches, no action is required.

DISCLAIMER

Important! We recommend that you contact your MOBOTIX Partner before you install hotfixes or updates. It is important to verify that your environment is compatible with the hotfixes or updates being installed. A hotfix or update may cause interoperability issues with customizations and third-party products that work with your XProtect solution.

DOWNLOAD HOTFIX

download.milestonesys.com/MTSKB/KB000004420/