dormakaba Access Manager Unauthenticated Trace Functionality Vulnerability Allowing PIN Exfiltration via TCP Socket

A vulnerability exists in the dormakaba Access Manager's trace functionality, which is implemented as an open TCP socket. This socket broadcasts debug information, including sensitive data such as Card IDs and PINs entered on registration units, without authentication or encryption. The vulnerability can be exploited by setting the trace level to 'Verbose' via an unauthenticated SOAP API request, then connecting to the TCP socket to intercept the broadcasted data. This issue affects dormakaba Access Manager 9200-K5 versions prior to 04.06.212 and 9200-K7 versions prior to BAME 05.02.156.

Impact

Exploitation of this vulnerability allows for the interception of PINs entered on dormakaba registration units via a TCP socket, creating a risk of unauthorized access to secured areas by replicating the PIN entry on the corresponding access manager.

Reproduction

The vulnerability can be reproduced by sending an unauthenticated request to the Access Manager's SOAP API to set the trace level to 'Verbose'. Once the trace level is set, a connection can be established to the open TCP socket on port 4502, where the broadcasted data will include all entered PINs on connected registration units.

Remediation

Users are advised to update to dormakaba Access Manager 9200-K5 versions 04.06.212 or later and 9200-K7 versions BAME 05.02.156 or later.