[KBA-01438] HID door controller security vulnerability - HID

series
HID
revised_modified
2017-03-07

[KBA-01438] HID door controller security vulnerability

This article explains a security vulnerability discovered with HID controllers.

Summary

A security vulnerability with HID Edge and VertX controllers has been discovered that allows remote code execution with root privileges. This vulnerability can be exploited using the controller UDP discovery service to inject commands into the controller, compromising the controller security. Authentication is not required to exploit this vulnerability.

For example, an attacker can leverage this vulnerability by sending unauthenticated UDP packets on the devices to unlock all controlled doors.

The following controller patch addresses this security vulnerability: Vulnerability Number ZDI-16-223

NOTE: Upgrading Legacy units to firmware 2.2.7.568 and EVO units to 3.5.2.1837, or later versions fixes this issue. There is no need to patch those firmware versions.

More Information

IMPORTANT: There are separate procedures for updating the HID Legacy and the HID EVO product lines.

Legacy VertX/EDGE controllers

Legacy HID controllers must be on firmware version 2.2.7.300 or higher. Refer to KBA-01050 for instructions to upgrade the firmware of Legacy controllers. Links to download the required firmware are available in KBA-01137.

To patch Legacy HID controllers:

  1. Download and extract the following patch, for Legacy controllers, to your workstation: VertX_EDGE-discoveryd.
  2. Rename the extracted VertXEDGE227SP5-discoveryd patch file to discoveryd
  3. From a command prompt, use Telnet to log in to the controller using the root account.
  4. Stop the controller UDP discovery process by running the following command: /etc/init.d/discovery stop.
  5. From Windows Explorer or an FTP Client, open a FTP session to the controller and browse to the following location: /mnt/apps/bin/.
  6. Overwrite the existing discoveryd file on the controller with the patched version.
  7. Return to the active Telnet session and restart the the controller UDP discovery process by running the following command: /etc/init.d/discovery start.

EVO VertX/EDGE controllers

EVO HID controllers must be on firmware version 3.3.1.1168 or higher. Refer to KBA-01134 for download links and instructions to upgrade the firmware of EVO controllers.

To patch EVO HID controllers:

  1. Download and extract the following patch, for EVO controllers, to your workstation: VertX_EDGE-EVO-discoveryd.
  2. The extracted VertxEdgeEVOdiscoveryd-2.0.0-1.arm.rpm patch is applied in the same way as an HID EVO controller firmware upgrade. Refer to KBA-01134 for instructions to upgrade the firmware of EVO controllers.

For more information regarding this issue, refer to the Discovery Protocol Security Vulnerability Tech Bulletin.