SOYAL Biometric Access Control System 5.0 Master Code Disclosure

Title: SOYAL Biometric Access Control System 5.0 Master Code Disclosure
Advisory ID: ZSL-2021-5630
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 18.03.2021
Summary
Soyal Access systems are built into Raytel Door Entry Systems and are providing access and lift control to many buildings from public and private apartment blocks to prestigious public buildings.
Description
The controller suffers from a cleartext transmission of sensitive information. This allows interception of the HTTP traffic and disclose the Master code and the Arming code via a man-in-the-middle attack. An attacker can obtain these codes to enter into the controller's Programming mode and bypass physical security controls in place.
Vendor
SOYAL Technology Co., Ltd - https://www.soyal.com
Affected Version
AR-727 i/CM - F/W: 5.0
AR837E/EF - F/W: 4.3
AR725Ev2 - F/W: 4.3 191231
AR331/725E - F/W: 4.2
AR837E/EF - F/W: 4.1
AR-727CM /i - F/W: 4.09
AR-727CM /i - F/W: 4.06
AR-837E - F/W: 3.03
Tested On
SOYAL Technology WebServer 2.0
SOYAL Serial Device Server 4.03A
SOYAL Serial Device Server 4.01n
SOYAL Serial Device Server 3.07n
Vendor Status
[25.01.2021] Vulnerability discovered.
[03.02.2021] Vendor contacted.
[08.02.2021] No response from the vendor.
[09.02.2021] Distributor responds and informs vendor.
[09.02.2021] Sent details to distributor.
[10.02.2021] Asked distributor for status update.
[11.02.2021] Vendor will patch the issue.
[18.03.2021] Public security advisory released.
PoC
soyal_code.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://exchange.xforce.ibmcloud.com/vulnerabilities/198552
[2] https://www.exploit-db.com/exploits/49676
[3] https://cxsecurity.com/issue/WLB-2021030133
[4] https://packetstormsecurity.com/files/161874
[5] https://www.it.mk/bezbednost-mk-sajber-prostor-i-infrastruktura/
[6] https://www.it.mk/istrazuvanje-mk-sajber-infrastruktura-soyal-biometric-access-control-system/
[7] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28265
[8] https://nvd.nist.gov/vuln/detail/CVE-2021-28265
Changelog
[18.03.2021] - Initial release
[23.03.2021] - Added reference [1], [2], [3] and [4]
[15.04.2021] - Added reference [5] and [6]
[19.06.2021] - Added reference [7] and [8]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk