1. EXECUTIVE SUMMARY
- CVSS v3 5.3
- ATTENTION: Low attack complexity
- Vendor: HID Global
- Equipment: Reader Configuration Cards
- Vulnerability: Improper Authorization
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to read the credential and device administration keys from a configuration card. Those keys could be used to create malicious configuration cards or credentials.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following HID products are affected:
- HID iCLASS SE reader configuration cards: All versions
- OMNIKEY Secure Elements reader configuration cards: All versions
3.2 Vulnerability Overview
3.2.1 IMPROPER AUTHORIZATION CWE-285
Sensitive data can be extracted from HID iCLASS SE reader configuration cards. This could include credential and device administrator keys.
CVE-2024-23806 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Multiple
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
HID Global reported this vulnerability to CISA.
4. MITIGATIONS
HID Global recommends the following mitigations to reduce the risk:
<
ul>
Elite Key and Custom Key customers that have kept their configuration cards secure should continue to be vigilant and restrict access to those cards. To exploit this vulnerability, a reader must be physically close to or in possession of the confi
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: