[R3] Multiple Premisys Identicard Vulnerabilities

The below vulnerabilities have been confirmed by Tenable for version 3.1.190 of Premisys Identicard. Latest versions of the software have not been tested due to access limitations, but are presumed to also be vulnerable.

CVE-2019-3906: Hardcoded Backdoor Account (Admin Access to Service)

The service contains hardcoded credentials of "IISAdminUsr" : "Badge1" that allow admin access to the service via the Premisys WCF Service endpoint on port 9003.

These credentials are unable to be changed by the user, and the only mitigation appears to be limiting traffic to this endpoint, which may or may not impact the availability of the service itself.

These credentials can be used by an attacker to dump contents of the badge system database, modify contents, or other various tasks with unfettered access.

CVE-2019-3907: Weak Hashing / Encryption Usage

User credentials and other sensitive information are stored with a known-weak encryption method (Base64 encoded MD5 hashes - salt + password).

CVE-2019-3908: Hardcoded Password (Viewing Backups)

Identicard backups are stored in an "idbak" format, which appears to be a password protected zip file. The password to unzip the contents is hardcoded into the application ("ID3nt1card"). This password is not configurable by an end user, which limits the ability to adequately protect content stored in backups.

An attacker with access to these backups could obtain access to potentially sensitive information within the backup. They could also arbitrarily modify contents of the backup, which could affect a future restore.

CVE-2019-3909: Default Database Credentials (Full Access to Service Databases)

The Identicard service installs with a default database username and password of "PremisysUsr" / "ID3nt1card". Instructions are provided to meet password standards when domain policies requires over 10 characters. This password is simply "ID3nt1cardID3nt1card". Users are unable to change these passwords without vendor intervention.