dormakaba Access Manager Weak Default Password Vulnerability

A vulnerability exists in the dormakaba Access Manager's web interface, where the default password is set to 'admin'. This issue is present in the 9200-k5 and 9200-k7 hardware revisions, with various firmware versions. In the 9200-k5, users are not required to change the password upon first login, while in the 9200-k7, this requirement is only enforced in versions 05.01.088 and later. The vulnerability allows unauthorized access to the web interface, where an attacker could manipulate settings or export the database, which contains sensitive information such as PIN codes and passwords.

Impact

Exploitation of this vulnerability allows for unauthorized access to the Access Manager's web interface, where an attacker could change settings or access a full database export. The exported database includes sensitive information such as passwords and PIN codes, which could be used to bypass physical security measures.

Reproduction

The vulnerability can be reproduced by logging into the Access Manager's web interface using the default 'admin' password. Once logged in, all other requests can be sent without authentication. If the access manager is connected to a biometric reader via coax, the default password can be used to deactivate alarms or open secured doors.

Remediation

Users are advised to change the default password and ensure that the Access Manager is updated to a version that enforces this change. For those using the 9200-k5 revision, it is recommended to upgrade to the 9200-k7 model, which has the password change requirement implemented.