Authentication bypass using an alternate path or channel in iDoors Reader

#VU18948 Authentication bypass using an alternate path or channel in iDoors Reader

Published: 2019-07-01 | Updated: 2019-07-02

Vulnerability identifier: #VU18948

Vulnerability risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-5964

CWE-ID: CWE-288

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
iDoors Reader
Mobile applications / Apps for mobile phones

Vendor: A.T.WORKS, Inc.

Description

The vulnerability allows an attacker to operate the product.

The vulnerability exist due to improper implementation of the authentication process. An attacker on the local network can bypass authentication process and gain unrestricted access to management console.

Successful exploitation of the vulnerability may allow an attacker to change the device settings, reset the administrator account, and use the management screen.

Mitigation

To get an updated version, please contact a vendor at the following email address:

sales2@atworks.co.jp

Vulnerable software versions

iDoors Reader: All versions

External links
http://idoors.jp/?info=idoors%e3%83%aa%e3%83%bc%e3%83%80%e3%81%ab%e3%81%8a%e3%81%91%e3%82%8b%e8%aa%...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Authentication bypass in iDoors Reader