dormakaba Kaba exos 9300 Unauthenticated RPC Service Vulnerability

A vulnerability exists in the Kaba exos 9300 access control management system, specifically within an RPC service that operates on port 4000. This service, managed by the process 'FSMobilePhoneInterface.exe', facilitates interprocess communication between the exos 9300 server and its graphical user interface. Notably, the RPC service is accessible without authentication, allowing unauthorized users to send arbitrary status updates regarding door contacts and other related information. This vulnerability could be exploited to manipulate the system's representation of door statuses, potentially leading to unauthorized physical access.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of door status information within the Kaba exos 9300 GUI. While this action does not directly open doors, it could create a false impression of a door being open, which might be problematic if the status is monitored for security purposes. However, it was revealed during discussions with dormakaba that this RPC service could also be used to open doors, adding a layer of physical access risk to the vulnerability.

Reproduction

The vulnerability can be reproduced by sending an RPC object to the Kaba exos 9300 server's port 4000. This can be done using a tool like netcat. The RPC object should include the identifier of the access manager, formatted according to dormakaba's addressing scheme, to change the status of a specific door. The 'identifier' must be known or can be enumerated.

Remediation

dormakaba has stated that this vulnerability has been fixed in the access manager 9200-k7 with the BAME 06.00 update. For the 9200-k5 access managers, which do not support the necessary encryption for secure communication, it is recommended to replace the old hardware with newer models as soon as possible.