ICS-CERT has issued a warning in relation to three high severity weaknesses in the IDenticard PremiSys access control system. All varieties of PremiSys software before version 4.1 are affected by the flaws.
If the weaknesses are effectively targeted it might result in full access being obtained to the system with administrative rights, theft of confidential information included in backups, and access being gained to details. The weaknesses might be targeted from a distant place and require a low level of expertise to abuse. Details of the weaknesses have been publicly disclosed.
The maximum severity weakness CVE-2019-3906 is related to hard-coded identifications which allow complete admin access to the PremiSys WCF Service endpoint. If properly exploited the hacker could gain complete access to the system with administrative rights. The weakness has been given a CVSS v3 base score of 8.8.
User identifications and other confidential data saved in the system are encrypted; nevertheless, a weak method of encryption has been applied which could probably be cracked resulting in the disclosure and theft of information. The weakness (CVE-2019-3907) has been given a CVSS v3 base score of 7.5.
Backup files are saved by the system as encrypted zip files; nevertheless, the password needed to unlock the standbys is hard-coded and cannot be altered. There is a chance a hacker could get access to the backup files and view/steal information. The weakness (CVE-2019-3908) has been given a CVSS v3 base score of 7.5.
Tenable’s Jimi Sebree identified and reported the faults.
IDenticard has tackled the hard-coded identifications weakness (CVE-2019-3906). Users must run an update to bring the software up to date with type 4.1 to tackle the weakness. IDenticard is presently developing a solution for the other two faults. A software update tackling those weaknesses is due to be released in February 2019.