dormakaba Access Manager Unauthenticated Access to Sensitive Data via SOAP API Vulnerability

A vulnerability exists in the dormakaba Access Manager's web server, allowing unauthorized access to sensitive data through an unprotected SOAP API. This API can be exploited without authentication to manipulate the device's SQLite database, which contains confidential information such as PIN codes, card data, and passwords. The vulnerability is exacerbated by other identified issues, including weak default passwords and insufficient session management, creating multiple pathways for attackers to access and exploit sensitive information.

Impact

Exploitation of this vulnerability allows for unauthorized access to the Access Manager's SQLite database, which includes unencrypted PIN codes, administrative passwords, and other sensitive configuration data. This access can be leveraged to manipulate the Access Manager's settings and control connected physical access devices, such as electronic locks.

Reproduction

The vulnerability can be reproduced by sending an unauthenticated request to the Access Manager's SOAP API, which is accessible via HTTP on port 8002. The request can include commands to export the SQLite database or to change the administrative password, among other configuration options. This can be done using a simple HTTP POST request with the appropriate SOAP action and parameters, such as the device identifier and the desired command or data.

Remediation

Users are advised to update to the latest version of the dormakaba Access Manager software, where this vulnerability has been addressed. For detailed instructions on the update process, consult the dormakaba security advisory page or contact your dormakaba partner.