IDenticard PremiSys Access Control System Flaws Discovered

by | Feb 7, 2019

ICS-CERT has released a waring in relation to three high severity vulnerabilities in the IDenticard PremiSys access control system. All versions of PremiSys software before version 4.1 are affected by the flaws.

If the vulnerabilities are effectively targeted it could lead to full access being obtained to the system with administrative privileges, theft of sensitive information included in backups, and access being gained to details. The flaws could be targeted from a remote location and require a low level of expertise to exploit. Details of the flaws have been publicly disclosed.

The highest severity vulnerability CVE-2019-3906 is in related to hard-coded credentials which permit full admin access to the PremiSys WCF Service endpoint. If properly exploited the hacker could gain full access to the system with administrative privileges. The vulnerability has been given a CVSS v3 base score of 8.8.

User credentials and other sensitive data stored in the system are encrypted; however, a weak method of encryption has been implemented which could possibly be cracked leading to the exposure and theft of information. The vulnerability (CVE-2019-3907) has been given a CVSS v3 base score of 7.5.

Backup files are saved by the system as encrypted zip files; however, the password needed to unlock the backups is hard-coded and cannot be amended. There is a chance a hacker could obtain access to the backup files and view/steal information. The vulnerability (CVE-2019-3908) has been given a CVSS v3 base score of 7.5.

Tenable’s Jimi Sebree identified and reported the flaws.

IDenticard has addressed the hard-coded credentials vulnerability (CVE-2019-3906). Users should run an update to bring the software up to date with version 4.1 to address the vulnerability IDenticard is currently developing a remedy for the other two flaws. A software update addressing those vulnerabilities is due to be released in February 2019.

As a temporary measure mitigation, NCCIC advises restricting and monitoring access to Port 9003/TCP, placing the system behind a firewall and ensuring the access control system cannot be logged onto the Internet. If remote access is possible, secure methods should be used for access, including an up-to-date VPN.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy