dormakaba Access Manager Unauthenticated SOAP API Vulnerability Allowing Arbitrary Door Control

A critical vulnerability has been identified in the dormakaba Access Manager 9200-K5 and 9200-K7 models, all versions prior to BAME 06.00. The issue arises from a SOAP API that is exposed on port 8002 of the access managers. This API, which is used to receive commands from the central exos 9300 management server, does not require any authentication or authorization by default. As a result, an attacker with network access can exploit this vulnerability to gain unauthorized control over the access managers and the doors they manage.

Impact

Exploitation of this vulnerability allows for unauthenticated access to the SOAP API, enabling an attacker to open doors, release locks, and reconfigure the access manager's settings, including the administrative password. This vulnerability has been assigned a CVSS score of 9.3, indicating its critical nature.

Reproduction

The vulnerability can be reproduced by sending a SOAP request to the access manager's IP address on port 8002. The request must include the 'ExecutePassagewayCommand' action, specifying the identifier of the door to be controlled and the command to execute, such as opening the door. This can be done using a tool like Burp Suite to manually craft and send the SOAP request. Once the request is sent, the door connected to the access manager will open, demonstrating the successful exploitation of the vulnerability.

Remediation

Users are advised to update to dormakaba Access Manager versions BAME 06.00 or later, where this vulnerability has been fixed. For those using the 9200-K5 model, it is recommended to replace the hardware with a newer version as soon as possible.