Vulnerabilities in CDVI ACAC22 [2-Door Controller] ================================================== Vulnerabilities has been found in the CDVI ACAC22 door controller web interface. These vulnerabilities include: - Client-side encryption for username and password without SSL - Denial of service attacks leading to inability to use the web interface and a possible fail-open on the lock This issue has been assigned an ID for reference: 1dd4a586 No CVE has been assigned to this. Contacting CVDI =============== CVDI was reached out to but did not return any requests for assistance. It has been decided to post this information to the Full Disclosure mailing list. CVDI's website is as follows: Authentication issues ===================== Authentication is performed using RC4 to encrypt the username and MD5 to encrypt the password at the login screen using a JavaScript function that performs both before submitting the form data. The key used to encrypt with RC4 is retrieved from the server and is sent with the login details in the form of a cookie. It is also used as a salt during the MD5 process. An example from the JS code can be found in the 'login_preSubmit()' function found in the main login page. $("#login_user").val(rc4($("#login_key").val(), username_str)); $("#login_pass").val(md5($("#login_key").val() + $("#login_password").val())); The server checks to see if the key has been determined but it is unknown to when it expires. The MD5 key itself is supplied in base-16 and the server application is sensitive to its case sensitivity, meaning that the server does a comparison on the other end using the supplied key. It also means that the server is likely storing the passwords using plaintext. With regards to the key exposure, there is no SSL employed on the web interface, meaning that the key is received and sent with no encryption. Denial of service attack ======================== One can exhaust the available login sessions and keys by making multiple requests. The server attempts to thwart this by limiting you to at least five sessions per IP address and user-agent, but a change in user-agent alone will allow you to max it out at around 15. This can lead to an inability to log into the web interface. Additionally, the device is configured by default to fail open, meaning that an attacker could potentially cause the door to unlock if the system becomes overloaded in the process. Yes. One could possibly unlock the door through a DoS attack. Our opinion =========== You should contact the device manufacturer for further assistance and avoid buying the device if you’re looking to implement such a system. Yours truly, Gassy Jack