The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an alert about vulnerabilities found in the IDenticard PremiSys access control system.
ICS-CERT, a governmental organisation that works to reduce the risk of cybercrime to US businesses, stated that all versions of PremiSys software system versions before 4.1 are affected by the vulnerabilities.
If a threat actor were to exploit the vulnerabilities, the hacker would obtain full access to the system. The hacker could abuse administrative privileges to steal sensitive information contained in backups. The credential information stored on the system could also be accessed.
The ICS-CERT advisory states that a threat actor with a low level of technical skills could exploit the vulnerabilities.
A summary of the vulnerabilities is as follows:
CVE-2019-3906: the highest risk vulnerability identified. It concerns hard-coded credentials which allow full admin access to the PremiSys WCF Service endpoint. A threat actor that successfully exploits this vulnerability could obtain full access to the system with administrative privileges. The vulnerability has been assigned a CVSS v3 base score of 8.8.
CVE-2019-3907: User credentials and other sensitive information stored in the system are encrypted; however, a weak method of encryption has been used which could potentially be cracked resulting in the exposure and theft of information. This has been assigned a CVSS v3 base score of 7.5.
CVE-2019-3908: The system stores backup files as encrypted zip files; however, the password required to unlock the backups is hard-coded and cannot be changed. Potentially an attacker could gain access to the backup data and view/steal information. This has been assigned a CVSS v3 base score of 7.5.
The vulnerabilities were discovered and reported by Jimi Sebree, an employee at the cybersecurity company Tenable.
IDenticard has corrected the hard-coded credentials vulnerability (CVE-2019-3906). Users should update to version 4.1 of the software to correct the flaw. IDenticard is currently working on a fix for the other two flaws. A software update correcting those flaws is expected to be released in February 2019.
As interim mitigation, the National Cybersecurity & Communications Integration Center (NCCIC) recommends restricting and monitoring access to Port 9003/TCP, locating the system behind a firewall, and ensuring the access control system is not accessible over the Internet. If remote access is necessary, secure methods should be used for access, such as an up to date VPN. NCCIC also recommends that operators of the affected devices take all of the usual precautions in protecting against cyber attacks, such as not clicking links in suspicious emails.