Multiple hardcoded passwords enable attackers to generate badges for building access, video surveillance feed access, database manipulation, and more.
Most corporate America residents are familiar with building security and the requirement to swipe a badge to enter a building or office suite. As a result, the majority of employees likely feel confident that their belongings are physically protected from outsiders as they go about their day. Multiple zero-day vulnerabilities in the PremiSys access control system render any sense of security potentially deceptive.
It has been discovered that IDenticard’s PremiSys building security system uses hard-coded and difficult-to-change default credentials for key administrative functions. Not only does this compromise the security of door controls and access restrictions, but the system also collects facility-specific information and integrates it with video surveillance systems. This creates both a data exfiltration/reconnaissance vector and a physical security risk.
Tenable, who discovered the vulnerabilities, stated on Tuesday that it has attempted to engage IDenticard numerous times without success. The 90-day disclosure period ended on January 3, so the research team has made the unpatched vulnerabilities public. In addition, the Computer Emergency Response Team was informed (CERT). Tenable informed us that the vendor has not responded as of this writing.
IDenticard spokesperson John Fox admitted to Threatpost that the company’s oversight of Tenable’s communications is unacceptable.
“This is inexcusable, and we are reviewing our inbound communication practices to ensure it never happens again,” he stated.
Malicious Access Control
The vulnerabilities are confirmed in version 3.1.190 of PremiSys IDenticard, and may exist in the most recent version as well – the vendor did not respond to Tenable’s request for a test copy, so its security profile is currently unknown.
The most alarming flaw discovered by Tenable is CVE-2019-3906, which involves hardcoded credentials that allow remote administrator access to the entire system.
The system employs a component known as the PremiSys Windows Communication Foundation (WCF) Service, which enables users to create custom ID cards for personnel, manage access levels for particular rooms or regions of a building, interface with other systems, and remotely manage ID readers and similar devices.
Tenable explained in an advisory that users are prohibited from altering these credentials. “An attacker can use these credentials to dump the badge system database, modify its contents, and perform other unauthorized tasks.”
According to Jimi Sebree, senior research engineer at Tenable, this allows attackers to utilize what is essentially a hardcoded backdoor in a real-world scenario. This “permits attackers to add new users to the badge system, modify existing users, delete users, and assign permission,” he wrote in a blog about CVE-2019-3906.
During an interview with Threatpost, he elaborated: “If an attacker desired physical access to a building, they could create a new badge to bypass security. They could also disable locks on demand or grant themselves access to areas of the building to which they would not normally have permission.”
Fortunately, the credentials cannot be found online, Sebree informed us; however, once an attacker discovers them, they can be used at any organization that uses this system.
The remaining flaws are slightly less severe but still problematic. CVE-2019-3908, for instance, relates to a different password hardcoded for backups.
According to the report, “Identicard backups are stored in an idbak format, which appears to be a password-protected zip file.” “The password to decompress the archive is hardcoded into the application (‘ID3nt1card’)”
An attacker could use this information to duplicate an existing badge and gain access to the building.
A third flaw, CVE-2019-3907, is caused by the fact that user credentials and other sensitive information are stored with a known-weak encryption method (Base64 encoded MD5 hashes – salt + password), which could allow data exfiltration and the ability to move laterally through the network to, for example, access the video surveillance system or other data.
CVE-2019-3909 relates to the use of difficult-to-change default database credentials, which could grant complete access to a service’s databases. Users are unable to change this password unless they send custom passwords to the vendor in order to receive an encrypted variant for use in their configurations. Worse, it is common knowledge what the defaults are.
“Only a fraction of the hardcoded credentials are accessible online,” Sebree told Threatpost. The WCF credentials could not be located online, but the default database credentials are available in the vendor documentation.
The default database username and password of “PremisysUsr/ID3nt1card” (and there are instructions for meeting longer password standards by using “ID3nt1cardID3nt1card”) can be used by attackers to access sensitive database contents, such as building survey data and entrance logs. The database’s contents could also be altered or deleted by malicious actors (so, someone could for instance erase evidence that a certain door was accessed at a certain time).
There is currently no patch. Fox of IDenticard informed us that the company intends to incorporate Tenable’s feedback into its ongoing product development cycle.
“PremiSys System software is constantly evolving, and we appreciate Tenable’s diligence in communicating with us,” he said. “The protection and safety of our customers is our top priority. IDenticard is committed to continuous improvement and addressing customer concerns as a global leader in security and identification solutions. As part of our ongoing agile software development process, we expect to release enhancements in the near future and will keep our customers informed of how these enhancements address Tenable’s concerns.
IDenticard has tens of thousands of customers worldwide, including Fortune 500 companies, K-12 schools, universities, medical facilities, and government agencies, according to its website. According to Sebree, however, mitigation is a blunt instrument in the absence of a vendor patch.
“Initially, end users should verify that these systems are not connected to the internet,” he advised. They should also segment their network to ensure that systems such as PremiSys are as isolated as possible from internal and external threats.
Unfortunately, such security lapses are far from uncommon.
“Hardcoded and default credentials are still prevalent,” said Sebree. “News about the use of hardcoded credentials is fairly common. Although it is not uncommon to find hardcoded credentials, it is not a recommended security practice.”