Researchers have uncovered a number of vulnerabilities in a popular building access-control application called PremiSys, including hardcoded credentials that could allow an attacker to add new users, delete existing users, or perform many other administrative functions on the system.
The vulnerabilities are in IDenticard’s PremiSys version 3.1.190 and the presence of the hardcoded credentials creates an easily exploitable weakness for an attacker to gain access to the system. Jimi Sebree, senior research engineer at Tenable Security, discovered the bugs and said that there’s no method in the application through which administrators can change the hardcoded username and password.
“As it turns out, this hardcoded backdoor allows attackers to add new users to the badge system, modify existing users, delete users, assign permission, and pretty much any other administrative function,” Sebree said in a blog post detailing the vulnerability.
The issue lies in the PremiSysWCFService module, which handles a variety of tasks, including some authentication functions. Sebree found that there’s a function inside the module that contains the hardcoded credentials.
“Users are not permitted to change these credentials. The only mitigation appears to be to limit traffic to this endpoint, which may or may not have further impact on the availability of the application itself,” Tenable’s advisory says.
“These credentials can be used by an attacker to dump contents of the badge system database, modify contents, or other various tasks with unfettered access.”
PremiSys is a physical access-management system that includes video surveillance features, door control, and card management. Along with the hardcoded credentials, Sebree also found a few other bugs including the use of a weak encryption method to protect user credentials, a hardcoded password protecting local backup files, and default credentials for the local database that installs with the system.
Sebree said that typically an attacker would need to have local access to the PremiSys system in order to go after the vulnerabilities he discovered.
“While possible for these systems to be accessible over the internet, it is unlikely. In most cases, an attacker would need access to the network the badge system sits on in order to exploit the vulnerabilities,” Sebree said via email.
The Tenable Research team attempted to contact IDenticard several times after discovering the vulnerabilities in September, but got no response. The company then sent the vulnerability information to CERT, which also tried to contact IDenticard, to no avail.
Sebree suggested that organizations ensure their networks are segmented so that the physical access system isn’t directly integrated into the larger corporate network.
“Administrators should first double-check that these systems are not connected to the internet. They should also segment their network to ensure systems like PremiSys are isolated from internal and external threats as much as possible,” Sebree said.