A potentially serious vulnerability affecting a network door controller made by Swedish security solutions provider Axis Communications can expose facilities to both physical and cyber threats.
Axis offers network cameras and other physical security products that are used by government and private sector organizations around the world.
The flaw, tracked as CVE-2023-21406 and rated ‘high severity’, is a heap-based buffer overflow impacting the Axis A1001 network door controller. The company has released patches and additional security improvements to address the vulnerability.
The vendor and the US Cybersecurity and Infrastructure Security Agency (CISA) released advisories this week to inform organizations about the vulnerability, which is related to the Open Supervised Device Protocol (OSDP), an access control communications standard.
“A heap-based buffer overflow was found in the pacsiod process, which is handling the OSDP communication, allowing to write outside of the allocated buffer. By appending invalid data to an OSDP message it was possible to write data beyond the heap allocated buffer. The data written outside the buffer could be used to execute arbitrary code,” Axis said in its advisory.
CISA said the impacted product is used by commercial facilities worldwide.
Industrial cybersecurity firm Otorio, whose researchers discovered the vulnerability, told SecurityWeek that the issue was identified during a larger research project “focusing on assessing the security and potential risks emerging from advancements in access control readers and controllers”, particularly OSDP, which is assumed to be secure.
The Axis controller vulnerability can be exploited by an attacker who has physical access to the RS-485 twisted pair cable located at the rear of an access control reader, which is typically stationed at the entry point of a secured facility or perimeter.
“We’ve also proven a tamper protection bypass for this scenario,” Otorio security research team leader Eran Jacob told SecurityWeek.
An attacker can exploit the vulnerability to open doors. They could also tamper with logs on the access controller to hide their tracks.
In addition, an attacker can also exploit the flaw to achieve remote code execution on the internal access controller from outside the targeted facility. This can be done over the serial channel used for reader-controller communications.
“This vulnerability could potentially serve as a gateway to the internal IP network, even if highly segmented or air-gapped from the internet,” Jacob said.
Otorio has found other vulnerabilities as well as part of the same research project into access control products, and it has developed an OSDP assessment tool that it plans on releasing as open source in the future.