Multiple Vulnerabilities in IDenticard PremiSys Access Control System Could Allow for Administrative Access
MS-ISAC ADVISORY NUMBER:2019-007
Multiple vulnerabilities have been discovered in IDenticard’s PremiSys access control system, the most severe of which could allow for administrative access. PremiSys is an access control system that can manage door controls, access badges, facility data, and video monitoring systems. Successfully exploiting the most severe of these vulnerabilities could allow for administrative access to the system. An adjacent attacker could add new users to the badge system, modify and delete existing users, and perform additional administrative functions.
There are currently no reports of these vulnerabilities being exploited in the wild.
- IDenticard PremiSys version 3.1.190
- March 7 - UPDATED AFFECTED SYSTEMS: Identicard PremiSys versions prior to 4.2
- March 7 - UPDATED AFFECTED SYSTEMS: CVE-2019-3906 was resolved in Version 4.1
- Large and medium government entities: HIGH
- Small government entities: HIGH
- Large and medium business entities: HIGH
- Small business entities: HIGH
Multiple vulnerabilities have been discovered in IDenticard’s PremiSys access control system, the most severe of which could allow for remote administrative access. Details of the vulnerabilities are as follows:
- The service contains hardcoded credentials (CWE-798) that provide administrator access to the entire service via the PremiSys Windows Communication Foundation (WCF) Service endpoint. (CVE-2019-3906)
- User credentials and other sensitive information are stored with a known-weak encryption method (Base64 encoded MD5 hashes - salt + password). (CVE-2019-3907)
- Identicard backups are stored in an idbak format, which appears to simply be a password protected zip file. The password to unzip the contents is hardcoded into the application ("ID3nt1card"). (CVE-2019-3908)
- The IDenticard service installs with a default database username and password of "PremisysUsr" / "ID3nt1card." There are also instructions for meeting longer password standards by using "ID3nt1cardID3nt1card." Users cannot change this password without sending custom passwords to the vendor directly in order to receive an encrypted variant to use in their configurations. These known credentials can be used by attackers to access the sensitive contents of the databases. (CVE-2019-3909)
Successful exploitation of the most severe of these vulnerabilities could allow for administrative access. An adjacent attacker could add new users to the badge system, modify and delete existing users, and perform additional administrative functions.
We recommend the following actions be taken:
- Ensure proper network segmentation is in place to isolate this critical system.
- Work with the vendor to change the default password in accordance with a best practice password policy.
- Apply the Principle of Least Privilege to all systems and services.
***March 7 - UPDATED RECOMMENDATIONS:
- Apply the provided patch immediately after appropriate testing.
- Set a new password for the backup and restore feature***