SOYAL Biometric Access Control System 5.0 Master Code Disclosure
Title: SOYAL Biometric Access Control System 5.0 Master Code Disclosure
Advisory ID: ZSL-2021-5630
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 18.03.2021
AR837E/EF - F/W: 4.3
AR725Ev2 - F/W: 4.3 191231
AR331/725E - F/W: 4.2
AR837E/EF - F/W: 4.1
AR-727CM /i - F/W: 4.09
AR-727CM /i - F/W: 4.06
AR-837E - F/W: 3.03
SOYAL Serial Device Server 4.03A
SOYAL Serial Device Server 4.01n
SOYAL Serial Device Server 3.07n
[03.02.2021] Vendor contacted.
[08.02.2021] No response from the vendor.
[09.02.2021] Distributor responds and informs vendor.
[09.02.2021] Sent details to distributor.
[10.02.2021] Asked distributor for status update.
[11.02.2021] Vendor will patch the issue.
[18.03.2021] Public security advisory released.
[2] https://www.exploit-db.com/exploits/49676
[3] https://cxsecurity.com/issue/WLB-2021030133
[4] https://packetstormsecurity.com/files/161874
[5] https://www.it.mk/bezbednost-mk-sajber-prostor-i-infrastruktura/
[6] https://www.it.mk/istrazuvanje-mk-sajber-infrastruktura-soyal-biometric-access-control-system/
[7] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28265
[8] https://nvd.nist.gov/vuln/detail/CVE-2021-28265
[23.03.2021] - Added reference [1], [2], [3] and [4]
[15.04.2021] - Added reference [5] and [6]
[19.06.2021] - Added reference [7] and [8]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2021-5630
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 18.03.2021
Summary
Soyal Access systems are built into Raytel Door Entry Systems and are providing access and lift control to many buildings from public and private apartment blocks to prestigious public buildings.Description
The controller suffers from a cleartext transmission of sensitive information. This allows interception of the HTTP traffic and disclose the Master code and the Arming code via a man-in-the-middle attack. An attacker can obtain these codes to enter into the controller's Programming mode and bypass physical security controls in place.Vendor
SOYAL Technology Co., Ltd - https://www.soyal.comAffected Version
AR-727 i/CM - F/W: 5.0AR837E/EF - F/W: 4.3
AR725Ev2 - F/W: 4.3 191231
AR331/725E - F/W: 4.2
AR837E/EF - F/W: 4.1
AR-727CM /i - F/W: 4.09
AR-727CM /i - F/W: 4.06
AR-837E - F/W: 3.03
Tested On
SOYAL Technology WebServer 2.0SOYAL Serial Device Server 4.03A
SOYAL Serial Device Server 4.01n
SOYAL Serial Device Server 3.07n
Vendor Status
[25.01.2021] Vulnerability discovered.[03.02.2021] Vendor contacted.
[08.02.2021] No response from the vendor.
[09.02.2021] Distributor responds and informs vendor.
[09.02.2021] Sent details to distributor.
[10.02.2021] Asked distributor for status update.
[11.02.2021] Vendor will patch the issue.
[18.03.2021] Public security advisory released.
PoC
soyal_code.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://exchange.xforce.ibmcloud.com/vulnerabilities/198552[2] https://www.exploit-db.com/exploits/49676
[3] https://cxsecurity.com/issue/WLB-2021030133
[4] https://packetstormsecurity.com/files/161874
[5] https://www.it.mk/bezbednost-mk-sajber-prostor-i-infrastruktura/
[6] https://www.it.mk/istrazuvanje-mk-sajber-infrastruktura-soyal-biometric-access-control-system/
[7] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28265
[8] https://nvd.nist.gov/vuln/detail/CVE-2021-28265
Changelog
[18.03.2021] - Initial release[23.03.2021] - Added reference [1], [2], [3] and [4]
[15.04.2021] - Added reference [5] and [6]
[19.06.2021] - Added reference [7] and [8]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
