ICS-CERT has published an advisory about three vulnerabilities with a high severity rating that are affecting the IDenticard PremiSys access control system. The vulnerabilities affect all versions of PremiSys software before version 4.1.
A malicious actor could successfully exploit the vulnerabilities and obtain full access to the system with admin privileges. That would allow theft of sensitive data stored in backups and access credentials. Remote exploitation of vulnerabilities is possible and even attackers with a low skill level could pull off a successful attack.
CVE-2019-3906 is the highest severity vulnerability with a CVSS v3 base score of 8.8. It involves hard-coded credentials and if exploited, would give the attacker full admin access to the PremiSys WCF Service endpoint.
CVE-2019-3907 is a vulnerability related to the method used to encrypt data. The flaw has been assigned a CVSS v3 base score of 7.5. The method used to encrypt data uses a weak algorithm which could be decrypted to steal sensitive information.
CVE-2019-3908 is a vulnerability with a CVSS v3 base score of 7.5. The system stores backup files as encrypted zip files; however a hard-coded password is included in the file and it is not possible to change the password. Exploitation of the vulnerability would allow an attacker to gain access to information stored in backups.
IDenticard has fixed the hard-coded credential vulnerability (CVE-2019-3906) in version 4.1 of its software. Users should update to version 4.1 as soon as possible. IDenticard expects to issue a new software version in February 2019 to address the other two vulnerabilities.
As a temporary mitigation, NCCIC makes the following recommendations:
- Users should restrict and monitor access to Port 9003/TCP
- Locate the system behind a firewall
- Ensure that the access control system is not accessible over the Internet.
- In case remote access is required, use a VPN for access.