Tenable Research says it has discovered four zero-day vulnerabilities in the PremiSys building access control system developed by the US firm IDenticard. When exploited, the most severe vulnerability would give an attacker unfettered access to the badge system database, allowing him/her to covertly enter buildings by creating fraudulent badges and disabling building locks.
This discovery comes just a few months after Tenable Research found another zero-day flaw — dubbed Peekaboo — in global video surveillance software.
According to Tenable, the PremiSys zero-days are a stark reminder that the mass adoption of emerging technologies has quickly blurred the lines between physical and digital security. PremiSys technology allows customers to grant and restrict access to doors, lockdown facilities and view integrated video.
Once exploited, the most severe flaw would give cybercriminals administrator access to the entire badge system database via the PremiSys Windows Communication Foundation (WCF) service endpoint. Using the administrator privileges, attackers can perform a variety of actions like downloading the full contents of the system database, modifying its contents or deleting users.
Renaud Deraison, co-founder and chief technology officer, Tenable said: “An organization’s security purview is no longer confined by a firewall, subnets, or physical perimeter — it’s now boundaryless. This makes it critically important for security teams to have complete visibility into where they are exposed and to what extent. Organizations that use PremiSys for access control are at a huge risk as patches are not available. Beyond this particular issue, the security industry needs to have a wider dialogue about embedded systems and their maintainability over time.”
Tenable Research disclosed the vulnerabilities (CVE-2019-3906, CVE-2019-3907, CVE-2019-3908, CVE-2019-3909), which affect version 3.1.190, to IDenticard following standard procedures outlined in its vulnerability disclosure policy. The team made multiple attempts to contact the vendor. On November 19, Tenable informed CERT of the vulnerability.
To reduce the risk of compromise, users should segment their network to ensure systems like PremiSys are isolated from internal and external threats as much as possible.
