Multiple Vulnerabilities in IDenticard PremiSys Access Control System Could Allow for Administrative Access

Multiple Vulnerabilities in IDenticard PremiSys Access Control System Could Allow for Administrative Access

MS-ISAC ADVISORY NUMBER:

2019-007

DATE(S) ISSUED:

01/17/2019

OVERVIEW:

Multiple vulnerabilities have been discovered in IDenticard’s PremiSys access control system, the most severe of which could allow for administrative access. PremiSys is an access control system that can manage door controls, access badges, facility data, and video monitoring systems. Successfully exploiting the most severe of these vulnerabilities could allow for administrative access to the system. An adjacent attacker could add new users to the badge system, modify and delete existing users, and perform additional administrative functions.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • IDenticard PremiSys version 3.1.190

RISK:

Government:

  • Large and medium government entities: HIGH
  • Small government entities: HIGH

Businesses:

  • Large and medium business entities: HIGH
  • Small business entities: HIGH

Home Users:

LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in IDenticard’s PremiSys access control system, the most severe of which could allow for remote administrative access. Details of the vulnerabilities are as follows:

  • The service contains hardcoded credentials (CWE-798) that provide administrator access to the entire service via the PremiSys Windows Communication Foundation (WCF) Service endpoint. (CVE-2019-3906)
  • User credentials and other sensitive information are stored with a known-weak encryption method (Base64 encoded MD5 hashes – salt + password). (CVE-2019-3907)
  • Identicard backups are stored in an idbak format, which appears to simply be a password protected zip file. The password to unzip the contents is hardcoded into the application ("ID3nt1card"). (CVE-2019-3908)
  • The IDenticard service installs with a default database username and password of "PremisysUsr" / "ID3nt1card." There are also instructions for meeting longer password standards by using "ID3nt1cardID3nt1card." Users cannot change this password without sending custom passwords to the vendor directly in order to receive an encrypted variant to use in their configurations. These known credentials can be used by attackers to access the sensitive contents of the databases. (CVE-2019-3909)

Successful exploitation of the most severe of these vulnerabilities could allow for administrative access. An adjacent attacker could add new users to the badge system, modify and delete existing users, and perform additional administrative functions.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Ensure proper network segmentation is in place to isolate this critical system.
  • Work with the vendor to change the default password in accordance with a best practice password policy.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES: