New Vulnerabilities Show that Access System, PremiSys, Lacks Basic Security Standards
Security researchers at Tenable discovered that IDenticard’s popular card-based access system, PremiSys, used by government agencies, schools, and Fortune 500 companies, contains four significant vulnerabilities that could allow threat actors to gain control of the system. The most notable of these is CVE-2019-3906, which states that the system contains an unchangeable, hardcoded password for the administrator account, giving threat actors the ability to dump or modify the access database. CVE-2019-3907 states that user credentials are being stored with a weak hashing method using Base64 and MD5. A known default password is used to access a password-protected ZIP file that contains IDenticard backups, according to CVE-2019-3908. Lastly, CVE-2019-3909 states that a default username and password are set up for the database, and cannot be changed unless a request with the custom password is sent to the vendors. These flaws affect systems running the 3.1.190 version of the firmware, but possibly others as well. At the time of writing, IDenticard has yet to respond to the vulnerabilities or issue a patch to fix them. The NJCCIC highly recommends patching systems as soon as updates become available, segmenting your network to isolate the system, and disconnecting the system from the internet. For more information, review the Tenable blog post.