CVE-2023-6260 on SRA Labs https://labs.sra.io/tags/cve-2023-6260/ Recent content in CVE-2023-6260 on SRA Labs Hugo -- gohugo.io en-us Mon, 19 Feb 2024 12:00:00 +0000 Brivo Access Control Systems https://labs.sra.io/posts/brivoacs/ Mon, 19 Feb 2024 12:00:00 +0000 https://labs.sra.io/posts/brivoacs/ <h1 id="summary">Summary</h1> <p>SRA has identified multiple vulnerabilities in Brivo Access Control Systems that can lead to the disclosure of sensitive system data and allow degradation or bypass of critical system functions.</p> <h1 id="cve-identifiers">CVE Identifiers</h1> <table> <thead> <tr> <th>CVE ID</th> <th>CVE Name</th> </tr> </thead> <tbody> <tr> <td>CVE-2023-6259</td> <td>Local Access to Sensitive Data</td> </tr> <tr> <td>CVE-2023-6260</td> <td>Web UI OS Command Injection</td> </tr> </tbody> </table> <h1 id="vulnerability-details--description">Vulnerability Details / Description</h1> <h2 id="cve-2023-6259--local-access-to-sensitive-data">CVE-2023-6259 – Local Access to Sensitive Data</h2> <p>An attacker with physical access to the ACS100 or ACS300 devices can access sensitive data from device memory that can be used to conduct additional attacks.</p> <h1 id="summary">Summary</h1> <p>SRA has identified multiple vulnerabilities in Brivo Access Control Systems that can lead to the disclosure of sensitive system data and allow degradation or bypass of critical system functions.</p> <h1 id="cve-identifiers">CVE Identifiers</h1> <table> <thead> <tr> <th>CVE ID</th> <th>CVE Name</th> </tr> </thead> <tbody> <tr> <td>CVE-2023-6259</td> <td>Local Access to Sensitive Data</td> </tr> <tr> <td>CVE-2023-6260</td> <td>Web UI OS Command Injection</td> </tr> </tbody> </table> <h1 id="vulnerability-details--description">Vulnerability Details / Description</h1> <h2 id="cve-2023-6259--local-access-to-sensitive-data">CVE-2023-6259 – Local Access to Sensitive Data</h2> <p>An attacker with physical access to the ACS100 or ACS300 devices can access sensitive data from device memory that can be used to conduct additional attacks.</p> <p><strong>Severity</strong></p> <p>The CVSS severity level of this vulnerability has been calculated to be 7.1 (High)</p> <p>CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</p> <h2 id="cve-2023-6260--web-ui-os-command-injection">CVE-2023-6260 – Web UI OS Command Injection</h2> <h3 id="acs300-physical-access">ACS300 (Physical Access)</h3> <p>An attacker with physical access to ACS300 devices can perform a command injection attack via the web UI and gain access to sensitive data that can be used to conduct additional attacks.</p> <p><strong>Severity</strong></p> <p>The CVSS base score of this vulnerability has been calculated to be 7.4 (High) for the physical access scenario:</p> <p>CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</p> <h3 id="acs100-adjacent-network-access">ACS100 (Adjacent Network Access)</h3> <p>An attacker with local network access to ACS100 devices can perform a command injection attack via the web UI and gain access to sensitive data that can be used to conduct additional attacks.</p> <p><strong>Severity</strong></p> <p>The CVSS severity level of this vulnerability has been calculated to be 9.0 (High) for the adjacent network access scenario:</p> <p>CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</p> <h1 id="affected-versions-and-models">Affected Versions and Models</h1> <p>Affects models ACS100, ACS300. Models ACS6000 and ACSSDC may also be affected.</p> <p><strong>Severity</strong></p> <p>Affects firmware versions from 5.2.4 but before 6.2.4.3. Versions prior to 5.2.4 may also be affected.</p> <h1 id="mitre-cwe-weakness-enumeration">MITRE CWE Weakness Enumeration</h1> <p>CWE-284: Improper Access Control</p> <p>CWE-522: Insufficiently Protected Credentials</p> <p>CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)</p> <h1 id="remediation-options">Remediation Options</h1> <p>Update affected devices to firmware version 6.2.4.3. Contact Brivo or your reseller for more information.</p> <h1 id="source">Source</h1> <p>These vulnerabilities were discovered by Alexandra Grochal and Gabe Siftar, as part of a research initiative for Security Risk Advisors’ internal hardware penetration testing team.</p> <h1 id="timeframe">Timeframe</h1> <ul> <li>October 9, 2023 – SRA attempts initial contact with Brivo.</li> <li>November 9, 2023 – SRA shares vulnerability details with Brivo’s product security team.</li> <li>November 29, 2023 – SRA reserves CVE IDs.</li> <li>December 15, 2023 – Brivo releases fix to production.</li> </ul>