[KBA-01438] HID door controller security vulnerability
This article explains a security vulnerability discovered with HID controllers.
A security vulnerability with HID Edge and VertX controllers has been discovered that allows remote code execution with root privileges. This vulnerability can be exploited using the controller UDP discovery service to inject commands into the controller, compromising the controller security. Authentication is not required to exploit this vulnerability.
For example, an attacker can leverage this vulnerability by sending unauthenticated UDP packets on the devices to unlock all controlled doors.
The following controller patch addresses this security vulnerability: Vulnerability Number ZDI-16-223
Legacy VertX/EDGE controllers
Legacy HID controllers must be on firmware version 18.104.22.1680 or higher. Refer to KBA-01050 for instructions to upgrade the firmware of Legacy controllers. Links to download the required firmware are available in KBA-01137.
To patch Legacy HID controllers:
- Download and extract the following patch, for Legacy controllers, to your workstation: VertX_EDGE-discoveryd.
- Rename the extracted VertXEDGE227SP5-discoveryd patch file to discoveryd
- From a command prompt, use Telnet to log in to the controller using the root account.
- Stop the controller UDP discovery process by running the following command: /etc/init.d/discovery stop.
- From Windows Explorer or an FTP Client, open a FTP session to the controller and browse to the following location: /mnt/apps/bin/.
- Overwrite the existing discoveryd file on the controller with the patched version.
- Return to the active Telnet session and restart the the controller UDP discovery process by running the following command: /etc/init.d/discovery start.
EVO VertX/EDGE controllers
EVO HID controllers must be on firmware version 22.214.171.1248 or higher. Refer to KBA-01134 for download links and instructions to upgrade the firmware of EVO controllers.
To patch EVO HID controllers:
- Download and extract the following patch, for EVO controllers, to your workstation: VertX_EDGE-EVO-discoveryd.
- The extracted VertxEdgeEVOdiscoveryd-2.0.0-1.arm.rpm patch is applied in the same way as an HID EVO controller firmware upgrade. Refer to KBA-01134 for instructions to upgrade the firmware of EVO controllers.
For more information regarding this issue, refer to the Discovery Protocol Security Vulnerability Tech Bulletin.