A hardcoded password and other unpatched vulnerabilities can allow hackers to take control over ID card-based building access systems, researchers from Tenable have revealed.
Despite being told of the issues by both Tenable and the US Computer Emergency Response Team (US-CERT), the vendor has not issued a patch, nor even responded to researchers.
The vulnerabilities --four in total-- affect PremiSys, a card-based building access system developed by IDenticard. Details about the four flaws have been published today in a Tenable security advisory. More in-depth information is also available in a Medium blog post authored by the Tenable researcher who found the issues.
Of the four, the most important security flaw is the one tracked as CVE-2019-3906. According to Tenable, the PremiSys building access system comes with a hardcoded password for the admin account.
"Users are not permitted to change these credentials," Tenable researchers said. "The only mitigation appears to be to limit traffic to this endpoint, which may or may not have further impact on the availability of the application itself."
"These credentials can be used by an attacker to dump contents of the badge system database, modify contents, or other various tasks with unfettered access," researchers added.
The username and password are "IISAdminUsr" and "Badge1."
If PremiSys servers are exposed online, an attacker can use this username and password to access a building's ID card management system and introduce rogue cards or disable access control features altogether.
A Shodan search shows only a handful of these systems connected to the internet, a good sign that most companies have secured systems, however, systems not connected to the internet can still be exploited from the local network.
The other three flaws, not as severe as the first, but dangerous nonetheless, include:
- CVE-2019-3907 - User credentials and other sensitive information are stored with a known-weak encryption method (Base64 encoded MD5 hashes - salt + password).
- CVE-2019-3908 - IDenticard backups are stored inside a password protected ZIP file. The password is "ID3nt1card."
- CVE-2019-3909 - The IDenticard service installs with a default database username and password of "PremisysUsr" / "ID3nt1card." There are also instructions for meeting longer password standards by using "ID3nt1cardID3nt1card." Users cannot change this password without sending custom passwords to the vendor directly in order to receive an encrypted variant to use in their configurations. These known credentials can be used by attackers to access the sensitive contents of the databases.
Tenable says the vulnerabilities affect PremiSys systems running firmware version 3.1.190, and possibly others. Because the vendor did not cooperate with the research or US-CERT team, it is unclear if the reported issues were patched. Researchers weren't able to get their hands on the latest version of the PremiSys firmware to check if the vendor shipped a silent patch without notifying the research team, although this is highly unlikely.
According to its website, IDenticard has tens of thousands of customers around the world, including government agencies, Fortune 500 companies, K-12 schools, universities, medical centers and others.
Contacted for comment by ZDNet, an IDenticard spokesperson redirected our request to its parent company, the Brady Corporation. Attempts to get ahold of a spokesperson who could speak on this security issue were unsuccessful after repeated calls.
Tenable researchers are now recommending that companies review if their PremiSys systems are exposed online and how sysadmins are accessing PremiSys backends.
"To reduce the risk of compromise, users should segment their network to ensure systems like PremiSys are isolated from internal and external threats as much as possible," Tenable recommended.
More cybersecurity news:
- Hyatt Hotels launches bug bounty program
- G Suite update warns you when someone is exporting your company's data
- Facial recognition doesn't work as intended on 42 of 110 tested smartphones
- New tool automates phishing attacks that bypass 2FA
- Zerodium will now pay $2 million for Apple iOS remote jailbreaks
- Most home routers don't take advantage of Linux's improved security features
- Google now lets you donate to charity through the Play Store CNET
- Phishing and spearphishing: A cheat sheet for business professionals TechRepublic