A hardcoded password and other unpatched vulnerabilities can allow hackers to take control over ID card-based building access systems, researchers from Tenable have revealed. Despite being told of the issues by both Tenable and the US Computer Emergency Response Team (US-CERT), the vendor has not issued a patch, nor even responded to researchers. More security news Government shutdown: TLS certificates not renewed, many websites are down Malware found preinstalled on some Alcatel smartphones What happens when the cops get hit with malware, too? Google search results listings can be manipulated for propaganda The vulnerabilities –four in total– affect PremiSys, a card-based building access system developed by IDenticard. Details about the four flaws have been published today in a Tenable security advisory. More in-depth information is also available in a Medium blog post authored by the Tenable researcher who found the issues. Of the four, the most important security flaw is the one tracked as CVE-2019-3906. According to Tenable, the PremiSys building access system comes with a hardcoded password for the admin account. “Users are not permitted to change these credentials,” Tenable researchers said. “The only mitigation appears to be to limit traffic to this endpoint, which may or may not have further impact on the availability of the application itself.” “These credentials can be used by an attacker to dump contents of the badge system database, modify contents, or other various tasks with unfettered access,” researchers added. The username and password are “IISAdminUsr” and “Badge1.” If PremiSys servers are exposed… [Read full story]
ZDNet is a business technology news website published by CBS Interactive, along with TechRepublic. The brand was founded on April 1, 1991, as a general interest technology portal from Ziff Davis and evolved into an enterprise IT-focused online publication owned by CNET Networks.