lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <15e8c58f-7892-41df-a3ec-fc3b1be3ca3f@cloudaware.eu>
Date: Mon, 10 Feb 2025 23:21:18 +0100
From: Jeroen Hermans via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2024-55447: Access Control in Paxton Net2 software (update)

CloudAware Security Advisory

CVE-2024-55447: Potential PII leak and incorrect access control in 
Paxton Net2 software


========================================================================
Summary
========================================================================
Insecure backend database in the Paxton Net2 software.
Possible leaking of PII incorrect access control.
Access cards can be cloned without physical access to the original card.
Audit log integrity compromised.
No physical access to computer running Paxton Net2 is required.

========================================================================
Product
========================================================================
* Paxton Net2  (all current versions)

========================================================================
Detailed description
========================================================================
By exploiting MSSQL single user mode it is possible to gain 
administrator rights to the Net2 database.
In this database plaintext PIN codes for building entrance can be found 
and changed. It is also possible to add
users to the system and enable/disable users in the system. By reading 
tables in the MSSQL table PII is leaked.
Apart from the PII in plaintext in the database, card data is also 
stored unencrypted in the database.
Using the data in the database cards can be cloned without having the 
original card if a Mifare or multi-protocol
reader is used for building entrance.
The above vulnerabilities are also relevant for the integrity of the 
audit logs in Paxton Net2 software. These audit
logs should never be used as forensic data. Not only is it possible 
cards are cloned, but audit log data can be
manipulated directly in the database tables.
In order to gain access local access to the computer running Net2 is 
necessary, but this can also be over a network
using e.g. Anydesk which makes physical access not necessary.
The vendor has not acknowledged the vulnerability after contact. There 
is no fix planned.

========================================================================
Solution
========================================================================
As the vendor has not acknowledged the vulnerability there is no 
effective remediation for this vulnerability.
The most effective measure at this moment is closely monitoring who has 
local access to the machine running the Net2
software.

========================================================================
Mitigation
========================================================================
There is no known effective mitigation. Limiting who has local access to 
the machine running the Net2 software seems
the most effective measure. Card cloning can be mitigated by not using

========================================================================
Weblinks
========================================================================
- https://github.com/gitaware/CVE/tree/main/CVE-2024-55447
- https://seclists.org/fulldisclosure/2024/Dec/0
- exploit github available to help with mitigation

========================================================================
Discoverers
========================================================================
Jeroen Hermans, CloudAware j.hermans[at]cloudaware[dot]eu
Emiel van Berlo, Danego emiel[at]danego[dot]nl

========================================================================
History
========================================================================
nov 12 2024: Requested latest Net2 software from Paxton
nov 26, 2024: Obtained latest Net2 software from other source than 
manufacturer
nov 26, 2024: Informed Paxton about vulnerability
nov 27, 2024: Release of exploit code
dec 2, 2024: Refused CVE reservation by Paxton & request of CVE 
reservation directly at Mitre
feb 10, 2025: CVE Assigned via Mitre

Download attachment "OpenPGP_0x52DD23305307A27C.asc" of type "application/pgp-keys" (670 bytes)

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (237 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ