VAR-201712-0881
Vulnerability from variot - Updated: 2025-04-20 23:15A door-unlocking issue was discovered on Software House iStar Ultra devices through 6.5.2.20569 when used in conjunction with the IP-ACM Ethernet Door Module. The communications between the IP-ACM and the iStar Ultra is encrypted using a fixed AES key and IV. Each message is encrypted in CBC mode and restarts with the fixed IV, leading to replay attacks of entire messages. There is no authentication of messages beyond the use of the fixed AES key, so message forgery is also possible. Software House iStar Ultra The device contains an access control vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. IP-ACM Ethernet Door Module is an access control module. This system is used to control physical access to resources based on RFID-based badge readers. Badge readers interface with the IP-ACM board, which uses TCP/IP to communicate with the iStar Ultra controller.
These were discovered during a black box assessment and therefore the vulnerability list should not be considered exhaustive; observations suggest that it is likely that further vulnerabilities exist. It is strongly recommended that Software House undertake a full whitebox security assessment of this application. Additionally, it is our suggestion that all communications be conducted over TLS. While alternatives are suggested below, cryptography is very difficult even for experts, and so using a well-understood cryptosystem like TLS is preferable to home-grown solutions. The version under test was indicated as: 6.5.2.20569. As of the time of disclosure, the issues remain unfixed. A working proof of concept has been demonstrated that allows an attacker with access to the IP network used by the IP-ACM and iStar Ultra to unlock doors connected to the IP-ACM. (This PoC will not be disclosed at this time, due to the issue remaining unfixed.)
Impact & Workaround
An attacker with access to the network can unlock doors without generating any log entry of the door unlock. An attacker can also prevent legitimate unlock attempts. Organizations using these devices should ensure that the network used for IP-ACM to iStar Ultra communications is not accessible to potential attackers.
Timeline
- 2017/07/01-2017/07/14 - Issues discovered
- 2017/07/19 - Issues disclosed to Software House
- 2017/08/29 - Issues acknowledged & proposed fixes discussed. Informed that current hardware could not be fixed and fixes would only apply to new products.
- 2017/10/19 - 90 day window elapsed in accordance with disclosure policy.
- 2017/12/18 - Public disclosure.
Credit
These issues were discovered by David Tomaschik of the Google Security Team.
-- David Tomaschik Security Engineer ISA Assessments Team Google, Inc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201712-0881",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "istar ultra",
"scope": "lte",
"trust": 1.0,
"vendor": "swhouse",
"version": "6.5.2.20569"
},
{
"model": "istar ultra",
"scope": "lte",
"trust": 0.8,
"vendor": "tyco",
"version": "6.5.2.20569"
},
{
"model": "istar ultra",
"scope": "eq",
"trust": 0.6,
"vendor": "swhouse",
"version": "6.5.2.20569"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-012004"
},
{
"db": "CNNVD",
"id": "CNNVD-201712-718"
},
{
"db": "NVD",
"id": "CVE-2017-17704"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:swhouse:istar_ultra_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-012004"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "David Tomaschik",
"sources": [
{
"db": "PACKETSTORM",
"id": "145497"
}
],
"trust": 0.1
},
"cve": "CVE-2017-17704",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2017-17704",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-108753",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 2.2,
"id": "CVE-2017-17704",
"impactScore": 5.2,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-17704",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2017-17704",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201712-718",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-108753",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-108753"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012004"
},
{
"db": "CNNVD",
"id": "CNNVD-201712-718"
},
{
"db": "NVD",
"id": "CVE-2017-17704"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A door-unlocking issue was discovered on Software House iStar Ultra devices through 6.5.2.20569 when used in conjunction with the IP-ACM Ethernet Door Module. The communications between the IP-ACM and the iStar Ultra is encrypted using a fixed AES key and IV. Each message is encrypted in CBC mode and restarts with the fixed IV, leading to replay attacks of entire messages. There is no authentication of messages beyond the use of the fixed AES key, so message forgery is also possible. Software House iStar Ultra The device contains an access control vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. IP-ACM Ethernet Door Module is an access control module. This system is used to control physical access to\nresources based on RFID-based badge readers. Badge readers interface with\nthe IP-ACM board, which uses TCP/IP to communicate with the iStar Ultra\ncontroller. \n\nThese were discovered during a black box assessment and therefore the\nvulnerability list should not be considered exhaustive; observations\nsuggest that it is likely that further vulnerabilities exist. It is\nstrongly recommended that Software House undertake a full whitebox security\nassessment of this application. Additionally, it is our suggestion that\nall communications be conducted over TLS. While alternatives are suggested\nbelow, cryptography is very difficult even for experts, and so using a\nwell-understood cryptosystem like TLS is preferable to home-grown\nsolutions. The version under test was indicated as: 6.5.2.20569. As of the\ntime of disclosure, the issues remain unfixed. A working proof of concept has been\ndemonstrated that allows an attacker with access to the IP network used by\nthe IP-ACM and iStar Ultra to unlock doors connected to the IP-ACM. (This\nPoC will not be disclosed at this time, due to the issue remaining unfixed.)\n\nImpact \u0026 Workaround\n-------------------\nAn attacker with access to the network can unlock doors without generating\nany log entry of the door unlock. An attacker can also prevent legitimate\nunlock attempts. Organizations using these devices should ensure that the\nnetwork used for IP-ACM to iStar Ultra communications is not accessible to\npotential attackers. \n\nTimeline\n--------\n* 2017/07/01-2017/07/14 - Issues discovered\n* 2017/07/19 - Issues disclosed to Software House\n* 2017/08/29 - Issues acknowledged \u0026 proposed fixes discussed. Informed\nthat current hardware could not be fixed and fixes would only apply to new\nproducts. \n* 2017/10/19 - 90 day window elapsed in accordance with disclosure policy. \n* 2017/12/18 - Public disclosure. \n\nCredit\n------\nThese issues were discovered by David Tomaschik of the Google Security Team. \n\n\n-- \nDavid Tomaschik\nSecurity Engineer\nISA Assessments Team\nGoogle, Inc",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-17704"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012004"
},
{
"db": "VULHUB",
"id": "VHN-108753"
},
{
"db": "PACKETSTORM",
"id": "145497"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-17704",
"trust": 2.6
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012004",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201712-718",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "145497",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-108753",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-108753"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012004"
},
{
"db": "PACKETSTORM",
"id": "145497"
},
{
"db": "CNNVD",
"id": "CNNVD-201712-718"
},
{
"db": "NVD",
"id": "CVE-2017-17704"
}
]
},
"id": "VAR-201712-0881",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-108753"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-20T23:15:49.289000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.swhouse.com/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-012004"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-330",
"trust": 1.1
},
{
"problemtype": "CWE-284",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-108753"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012004"
},
{
"db": "NVD",
"id": "CVE-2017-17704"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://systemoverlord.com/2017/12/18/cve-2017-17704-broken-cryptography-in-istar-ultra-ip-acm-by-software-house.html"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-17704"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17704"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-108753"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012004"
},
{
"db": "PACKETSTORM",
"id": "145497"
},
{
"db": "CNNVD",
"id": "CNNVD-201712-718"
},
{
"db": "NVD",
"id": "CVE-2017-17704"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-108753"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012004"
},
{
"db": "PACKETSTORM",
"id": "145497"
},
{
"db": "CNNVD",
"id": "CNNVD-201712-718"
},
{
"db": "NVD",
"id": "CVE-2017-17704"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-12-31T00:00:00",
"db": "VULHUB",
"id": "VHN-108753"
},
{
"date": "2018-02-09T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-012004"
},
{
"date": "2017-12-20T01:24:00",
"db": "PACKETSTORM",
"id": "145497"
},
{
"date": "2017-12-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201712-718"
},
{
"date": "2017-12-31T02:29:01.550000",
"db": "NVD",
"id": "CVE-2017-17704"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-10-03T00:00:00",
"db": "VULHUB",
"id": "VHN-108753"
},
{
"date": "2018-02-09T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-012004"
},
{
"date": "2019-10-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201712-718"
},
{
"date": "2025-04-20T01:37:25.860000",
"db": "NVD",
"id": "CVE-2017-17704"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201712-718"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Software House iStar Ultra Device access control vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-012004"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "security feature problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201712-718"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…