The high-severity vulnerability has been confirmed by the Cybersecurity and Infrastructure Security Agency (CISA), while Axis Communications has issued security patches, urging consumers to install them.
Leading OT cybersecurity firm OTORIO has discovered (PDF) a high-severity heap-based buffer overflow vulnerability in the AXIS A1001 system from Axis Communications. This system ensures secure access control, but the vulnerability exposes sensitive networks to various risks, including remote code execution.
For your information, Axis Communications AB is a Swedish manufacturer of network cameras, video encoders, and other surveillance products.
In an exclusive report shared with Hackread.com, the company explained that the buffer overflow flaw was discovered while communicating over OSDP. OTORIO researchers Ariel Harush and Roy Hodir wrote that the flaw is found in the pacsiod process, which handles the OSDP communications.
The high-severity vulnerability, tracked as CVE-2023-21406, allows message data to be written outside the heap-allocated buffer by appending invalid data to the OSDP message. Later, the data can be used for executing arbitrary code.
AXIS A1001 is an open, non-proprietary system designed for access management. Each door installs the controller individually, and the data is synchronized automatically between all existing system controllers. The controller support almost all RS 48 and Wiegand OSDP readers and comes with built-in software allowing access management for up to 33 controllers and an open API for larger installations.
The exploit for this flaw involves gaining physical access to the RS-48 twisted pair cable located at the rear end of an access control reader. The reader is positioned at the entrance of a security facility/perimeter. OTORIO’s researchers successfully demonstrated that a tamper protection bypass could further aggravate the risk.
What makes CVE-2023-21406 an issue of concern for the cybersecurity community is that attackers may exploit it for conducting RCE (remote code execution) on the internal access controller from outside the facility. An adversary may exploit the serial channel that enables reader-controller communication to gain unauthorized access and open doors.
They may also tamper with logs on the access controller. In addition to that, the flaw can serve as a potent gateway to the internal IP network regardless of its air-gapped or segmented status.
What sets this vulnerability apart is its potential for Remote Code Execution (RCE) on the internal access controller from outside of the facility. By exploiting the serial channel used for reader-controller communication, an attacker could gain unauthorized access to open doors or tamper with logs on the access controller. Even more alarmingly, this flaw could serve as a gateway to the internal IP network, irrespective of its segmentation or air-gapped status from the internet.OTORIO
The vulnerability impacts AXIS A1001 version 1.65.4 or earlier and is categorized as high severity with a CVSS score of 7.1. AXIS has already released a patch for the impacted devices to improve the OSDP message parser’s robustness. Users must immediately update the AXIS device software available here.
The research highlights the potential risks fortified OT networks could be exposed to. In its security advisory published on 25 July 2023, the Cybersecurity and Infrastructure Security Agency (CISA) in the United States confirmed this vulnerability and noted that commercial entities must minimize network exposure for control system devices/systems and ensure these aren’t accessible through the internet.
Nevertheless, these devices/systems must be isolated from business networks and protected via firewalls. Moreover, VPNs should be preferred when remote access is required.