1. EXECUTIVE SUMMARY
- CVSS v3 5.9
- ATTENTION: Exploitable locally
- Vendor: HID Global
- Equipment: iCLASS SE, OMNIKEY
- Vulnerability: Improper Authorization
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to read data from reader configuration cards and credentials. Reader configuration cards contain credential and device administration keys which could be used to create malicious configuration cards or credentials.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following HID products are affected when configured as an encoder:
- iCLASS SE CP1000 Encoder: All versions
- iCLASS SE Readers: All versions
- iCLASS SE Reader Modules: All versions
- iCLASS SE Processors: All versions
- OMNIKEY 5427CK Readers: All versions
- OMNIKEY 5127CK Readers: All versions
- OMNIKEY 5023 Readers: All versions
- OMNIKEY 5027 Readers: All versions
3.2 Vulnerability Overview
3.2.1 IMPROPER AUTHORIZATION CWE-285
Certain configuration available in the communication channel for encoders could expose sensitive data when reader configuration cards are programmed. This data could include credential and device administration keys.
CVE-2024-22388 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Multiple
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
HID Global reported this vulnerability to CISA.
Content was cut in order to protect the source.Please visit the source for the rest of the article.Read the original article: