dormakaba Access Manager Unencrypted Flash Storage Vulnerability Allowing SSH Root Access

A vulnerability exists in the dormakaba Access Manager 9200-K7 model due to unencrypted flash storage. This flaw allows an attacker with physical access to the device to desolder the flash memory, modify it, and reinstall it, thereby gaining unauthorized access. Critical files such as '/etc/passwd', stored certificates, cryptographic keys, and PINs can be altered or read. This exploitation leads to SSH root access on the Linux-based K7 model. Additionally, on the Windows CE-based K5 model, the Access Manager password can be retrieved in plain text from the SQLite database.

Impact

Exploitation of this vulnerability allows for unauthorized modification and reading of sensitive files and data, including passwords, PINs, and cryptographic keys, leading to unauthorized SSH root access on the affected Access Manager model.

Reproduction

The vulnerability can be reproduced by physically accessing the Access Manager 9200-K7 model, desoldering the flash memory, and then modifying it before reinstallation. The absence of encryption on the flash storage facilitates this process, allowing for easy extraction and alteration of the stored data.

Remediation

Users are advised to contact their dormakaba partner to check if their devices are up to date and to replace old hardware revisions with newer ones.