← Advisories

SOYAL Biometric Access Control System 5.0 CSRF Change Admin Password

Medium
Advisory ID
ZSL-2021-5632
Release Date
18 March 2021
Vendor
SOYAL Technology Co., Ltd - https://www.soyal.com
Affected Version
AR-727 i/CM - F/W: 5.0, AR837E/EF - F/W: 4.3, AR725Ev2 - F/W: 4.3 191231, AR331/725E - F/W: 4.2, AR837E/EF - F/W: 4.1, AR-727CM /i - F/W: 4.09, AR-727CM /i - F/W: 4.06, AR-837E - F/W: 3.03
CVE
CVE-2021-28268
Tested On
SOYAL Technology WebServer 2.0, SOYAL Serial Device Server 4.03A, SOYAL Serial Device Server 4.01n, SOYAL Serial Device Server 3.07n
Summary

Soyal Access systems are built into Raytel Door Entry Systems and are providing access and lift control to many buildings from public and private apartment blocks to prestigious public buildings.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept
soyal_csrf.txtTXT
Disclosure Timeline
25.01.2021Vulnerability discovered.
03.02.2021Vendor contacted.
08.02.2021No response from the vendor.
09.02.2021Distributor responds and informs vendor.
09.02.2021Sent details to distributor.
10.02.2021Asked distributor for status update.
11.02.2021Vendor will patch the issue.
18.03.2021Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/49677
[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/198551
[3]https://packetstormsecurity.com/files/161876/
[4]https://cxsecurity.com/issue/WLB-2021030132
[5]https://nvd.nist.gov/vuln/detail/CVE-2021-28268
[6]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28268
Changelog
18.03.2021Initial release
23.03.2021Added reference [1], [2], [3] and [4]
19.06.2021Added reference [5] and [6]