Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for TSEC by Integrated Control Technology

    CVE-2024-29941 (GCVE-0-2024-29941)

    Vulnerability from nvd – Published: 2024-05-06 22:33 – Updated: 2024-08-02 01:17
    VLAI
    Title
    Credential Cloning
    Summary
    Insecure storage of the ICT MIFARE and DESFire encryption keys in the firmware binary allows malicious actors to create credentials for any site code and card number that is using the default ICT encryption.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    ICT
    Impacted products
    Vendor Product Version
    Integrated Control Technology TSEC Affected: 0
    Create a notification for this product.
    Integrated_control_technology TSEC Affected: *
        cpe:2.3:a:Integrated_control_technology:TSEC:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Thomas Hobson
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:Integrated_control_technology:TSEC:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "TSEC",
                "vendor": "Integrated_control_technology",
                "versions": [
                  {
                    "status": "affected",
                    "version": "*"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "LOW",
                  "baseScore": 8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-29941",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-07T15:04:30.585039Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-522",
                    "description": "CWE-522 Insufficiently Protected Credentials",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-30T15:19:56.102Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:17:58.493Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://ict.co/media/1xdhaugi/credential-cloning.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "TSEC",
              "vendor": "Integrated Control Technology",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Thomas Hobson"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Insecure storage of the ICT MIFARE and DESFire encryption keys in the firmware\nbinary allows malicious actors to create credentials for any site code and card number that is using the default\nICT encryption.\n\n"
                }
              ],
              "value": "Insecure storage of the ICT MIFARE and DESFire encryption keys in the firmware\nbinary allows malicious actors to create credentials for any site code and card number that is using the default\nICT encryption.\n\n"
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-06T22:44:35.066Z",
            "orgId": "56c94bcb-ac34-4d7f-b660-d297a6b7ff82",
            "shortName": "ICT"
          },
          "references": [
            {
              "url": "https://ict.co/media/1xdhaugi/credential-cloning.pdf"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Credential Cloning",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003e\n\nUse custom keysets unique to customer sites\nto prevent cards being created by third parties\nusing exploited publicly available default keysets\n\n\u003c/li\u003e\u003cli\u003e\n\nSetup two-factor authentication (2FA) on all doors where PIN\nreaders are installed to mitigate the risk of using\ncredentials with publicly available default keysets\n\n\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "  *  \n\nUse custom keysets unique to customer sites\nto prevent cards being created by third parties\nusing exploited publicly available default keysets\n\n  *  \n\nSetup two-factor authentication (2FA) on all doors where PIN\nreaders are installed to mitigate the risk of using\ncredentials with publicly available default keysets\n\n"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "56c94bcb-ac34-4d7f-b660-d297a6b7ff82",
        "assignerShortName": "ICT",
        "cveId": "CVE-2024-29941",
        "datePublished": "2024-05-06T22:33:03.969Z",
        "dateReserved": "2024-03-21T20:07:00.532Z",
        "dateUpdated": "2024-08-02T01:17:58.493Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-29941 (GCVE-0-2024-29941)

    Vulnerability from cvelistv5 – Published: 2024-05-06 22:33 – Updated: 2024-08-02 01:17
    VLAI
    Title
    Credential Cloning
    Summary
    Insecure storage of the ICT MIFARE and DESFire encryption keys in the firmware binary allows malicious actors to create credentials for any site code and card number that is using the default ICT encryption.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    ICT
    Impacted products
    Vendor Product Version
    Integrated Control Technology TSEC Affected: 0
    Create a notification for this product.
    Integrated_control_technology TSEC Affected: *
        cpe:2.3:a:Integrated_control_technology:TSEC:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Thomas Hobson
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:Integrated_control_technology:TSEC:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "TSEC",
                "vendor": "Integrated_control_technology",
                "versions": [
                  {
                    "status": "affected",
                    "version": "*"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "LOW",
                  "baseScore": 8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-29941",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-07T15:04:30.585039Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-522",
                    "description": "CWE-522 Insufficiently Protected Credentials",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-30T15:19:56.102Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:17:58.493Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://ict.co/media/1xdhaugi/credential-cloning.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "TSEC",
              "vendor": "Integrated Control Technology",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Thomas Hobson"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Insecure storage of the ICT MIFARE and DESFire encryption keys in the firmware\nbinary allows malicious actors to create credentials for any site code and card number that is using the default\nICT encryption.\n\n"
                }
              ],
              "value": "Insecure storage of the ICT MIFARE and DESFire encryption keys in the firmware\nbinary allows malicious actors to create credentials for any site code and card number that is using the default\nICT encryption.\n\n"
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-06T22:44:35.066Z",
            "orgId": "56c94bcb-ac34-4d7f-b660-d297a6b7ff82",
            "shortName": "ICT"
          },
          "references": [
            {
              "url": "https://ict.co/media/1xdhaugi/credential-cloning.pdf"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Credential Cloning",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cul\u003e\u003cli\u003e\n\nUse custom keysets unique to customer sites\nto prevent cards being created by third parties\nusing exploited publicly available default keysets\n\n\u003c/li\u003e\u003cli\u003e\n\nSetup two-factor authentication (2FA) on all doors where PIN\nreaders are installed to mitigate the risk of using\ncredentials with publicly available default keysets\n\n\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "  *  \n\nUse custom keysets unique to customer sites\nto prevent cards being created by third parties\nusing exploited publicly available default keysets\n\n  *  \n\nSetup two-factor authentication (2FA) on all doors where PIN\nreaders are installed to mitigate the risk of using\ncredentials with publicly available default keysets\n\n"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "56c94bcb-ac34-4d7f-b660-d297a6b7ff82",
        "assignerShortName": "ICT",
        "cveId": "CVE-2024-29941",
        "datePublished": "2024-05-06T22:33:03.969Z",
        "dateReserved": "2024-03-21T20:07:00.532Z",
        "dateUpdated": "2024-08-02T01:17:58.493Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }