ZDI-16-223: HID VertX/Edge Remote Code Execution Vulnerability

April 5, 2016

A security vulnerability in HID devices allows executing arbitrary code including the unlocking of all doors controlled by the devices. A patch has been released by the manufacturer. Clients should update their devices as soon as possible.

An attacker can leverage this vulnerability for example by sending unauthenticated UDP packets on the devices thereby unlocking all doors controlled by the devices. The following controller patch will address this security vulnerability.

NOTE: There are separate procedures for the HID Legacy and the HID EVO lines of products.

Vulnerability Number: ZDI-16-223

Legacy VertX/EDGE controllers

The Legacy HID controllers need to be running firmware version 2.2.7.300 or higher. Please review KBA1050 for instructions regarding the firmware upgrade of Legacy controllers. The firmware can be downloaded from KBA1137.

Procedure

  1. Download and extract the following patch, for Legacy controllers, to your workstation: VertX_EDGE-discoveryd. The extracted patch file "VertXEDGE227SP5-discoveryd" must be renamed to "discoveryd".
  2. Open a command prompt window. Log into the controller via Telnet, using the root account.
  3. Stop the discovery process by running the following command: "/etc/init.d/discovery stop". 

    ZDI-16-223: HID VertX/Edge Remote Code Execution Vulnerability
     
  4. Using Windows Explorer or a FTP Client, open a FTP session to the controller. Browse to the following location on the controller "/mnt/apps/bin/".

    ZDI-16-223: HID VertX/Edge Remote Code Execution Vulnerability
     
  5. The existing 'discoveryd' file found on the controller will need to be replaced. Copy the patched version downloaded in Step 1, and overwrite the file found on the controller.
  6. Restart the discovery process. From the Telnet session opened in Step 2, run the following command: "/etc/init.d/discovery start".

    ZDI-16-223: HID VertX/Edge Remote Code Execution Vulnerability

EVO Edge/VertX controllers

The EVO HID controllers need to be running firmware 3.3.1.1168 or higher. Please review KBA1134 for instructions and downloads regarding the firmware upgrade of EVO controllers.

Procedure

  1. Download and extract the following patch for EVO controllers, to your workstation: VertX_EDGE-EVO-discoveryd.
  2. Ensure the controller is running firmware version 3.3.1.1168 or higher.
  3. The extracted "VertxEdgeEVOdiscoveryd-2.0.0-1.arm.rpm" patch is applied in the same manner as a HID EVO controller firmware upgrade. Reference KBA1134 for the upgrade procedure.

For more information regarding this issue please refer to the following HID bulletin: Discovery Protocol Security Vulnerability Tech Bulletin.

Previous Article
A closer look at physical security system vulnerabilities
A closer look at physical security system vulnerabilities

In our last post, we got you thinking about the Security-of-Security. Specifically, we raised questions abo...

Next Article
A guide to hardening your Security Center system
A guide to hardening your Security Center system

Security is what we do; and while we are technology innovators first, a big part of our job is ensuring our...