Vulnerabilities in PremiSys IDentity access system could allow attackers to bypass security

• Vulnerabilities discovered in the PremiSys IDentity access system could allow attackers to bypass its building entrance security.
• The vulnerabilities could allow an attacker to steal the information in the badge system database or modify it.

PremiSys ID developed by IDenticard Systems can be used for designing and printing building access badges, and for managing cardholder data, collect detailed facility data, and integrate with video monitoring systems.

A researcher named James Sebree from Tenable discovered four vulnerabilities in the PremiSys IDentity access system that could allow attackers to bypass its building entrance security.

The four vulnerabilities

Tenable described in a blog that four vulnerabilities have been confirmed in versions 3.1.190 of PremiSys ID.

• The most critical vulnerability is CVE-2019-3906, for hardcoded credentials that allow the administrator access to the service via the PremiSys Windows Communication Foundation (WCF) Service endpoint. This vulnerability allows attackers to dump contents of the badge system database, alter contents, or other various functions with unrestricted access.
• User credentials and other sensitive information were stored on a weak encryption method (Base64 encoded MD5 hashes - salt + password). This weak encryption vulnerability is identified as CVE-2019-3907.
• The third vulnerability CVE-2019-3908 relates to IDcard backups that are stored in an idbak format, a password protected zip file. The password to unzip the contents is hardcoded into the application ("ID3nt1card").
• The fourth vulnerability tracked as CVE-2019-3909 consists in using a default username and password pair to restrict access to the database. Unlocking this database gives an attacker full access to the sensitive contents.

“Users cannot change this password without sending custom passwords to the vendor directly in order to receive an encrypted variant to use in their configurations,” Tenable wrote.

No vendor patch available

Tenable has made multiple attempts to contact the vendor to fix these vulnerabilities. The cybersecurity firm delayed in making their findings public for more than 90 days, but the vendor hasn't responded. The 90 days deadline ended on January 3, 2019.

“Because there is no vendor patch, affected users will have to attempt to mitigate these vulnerabilities. Systems like this should never be open to the internet and users should ensure proper network segmentation is in place to isolate this critical system,” Tenable said.

On January 15, 2019, John Fox, a Senior Product Manager for IDenticard Systems told BleepingComputer that they apologize for overlooking Tenable's communication attempts and expect to release updates soon to address these vulnerabilities.

“We take the issues identified by Tenable, a leading third-party cyber security research company, seriously and are looking to incorporate their feedback into our ongoing product development cycle. PremiSys System software is constantly evolving and we appreciate the diligence Tenable outlined in their messages to us,” John Fox told BleepingComputer.

“The safety and security of our customers is our first priority. As a global leader in security and identification solutions, IDenticard is committed to continuous improvement and addressing customer concerns. As part of our ongoing agile software development process, we anticipate releasing improvements in the near term and will keep our customers updated with how those improvements address Tenable’s concerns,” Fox concluded.