IDenticard PremiSys Access Control System Flaws Discovered

Man inserting card key into card reader, Close-up of hand, (Close-up)

ICS-CERT has released a waring in relation to three high severity vulnerabilities in the IDenticard PremiSys access control system. All versions of PremiSys software before version 4.1 are affected by the flaws.

If the vulnerabilities are effectively targeted it could lead to full access being obtained to the system with administrative privileges, theft of sensitive information included in backups, and access being gained to details. The flaws could be targeted from a remote location and require a low level of expertise to exploit. Details of the flaws have been publicly disclosed.

The highest severity vulnerability CVE-2019-3906 is in related to hard-coded credentials which permit full admin access to the PremiSys WCF Service endpoint. If properly exploited the hacker could gain full access to the system with administrative privileges. The vulnerability has been given a CVSS v3 base score of 8.8.

User credentials and other sensitive data stored in the system are encrypted; however, a weak method of encryption has been implemented which could possibly be cracked leading to the exposure and theft of information. The vulnerability (CVE-2019-3907) has been given a CVSS v3 base score of 7.5.

Backup files are saved by the system as encrypted zip files; however, the password needed to unlock the backups is hard-coded and cannot be amended. There is a chance a hacker could obtain access to the backup files and view/steal information. The vulnerability (CVE-2019-3908) has been given a CVSS v3 base score of 7.5.

Tenable’s Jimi Sebree identified and reported the flaws.

IDenticard has addressed the hard-coded credentials vulnerability (CVE-2019-3906). Users should run an update to bring the software up to date with version 4.1 to address the vulnerability IDenticard is currently developing a remedy for the other two flaws. A software update addressing those vulnerabilities is due to be released in February 2019.

As a temporary measure mitigation, NCCIC advises restricting and monitoring access to Port 9003/TCP, placing the system behind a firewall and ensuring the access control system cannot be logged onto the Internet. If remote access is possible, secure methods should be used for access, including an up-to-date VPN.