CVE-2022-26671
📋 TL;DR
Taiwan Secom Dr.ID Access Control system's login page contains hard-coded credentials in source code, allowing unauthenticated remote attackers to access partial system information and modify settings to disrupt service. This affects all deployments of the vulnerable Dr.ID Access Control system.
💻 Affected Systems
- Taiwan Secom Dr.ID Access Control System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to modify access control settings, disable security features, and potentially gain administrative privileges over physical access systems.
Likely Case
Unauthenticated attackers accessing sensitive system information and modifying configuration settings to cause service disruption or bypass security controls.
If Mitigated
Limited information disclosure with no ability to modify critical settings if proper network segmentation and access controls are implemented.
🎯 Exploit Status
Exploitation requires only discovering the hard-coded credentials from source code and using them to authenticate.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in available references
Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-5971-b691f-1.html
Restart Required: Yes
Instructions:
1. Contact Taiwan Secom for updated firmware/software. 2. Apply vendor-provided patch. 3. Restart the Dr.ID Access Control system. 4. Verify hard-coded credentials are removed from source code.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Dr.ID Access Control system from untrusted networks and internet access.
Access Control Lists
allImplement strict firewall rules to limit access to Dr.ID system only from authorized IP addresses.
🧯 If You Can't Patch
- Implement network segmentation to isolate the system from untrusted networks
- Monitor authentication logs for use of hard-coded credentials and implement alerting
🔍 How to Verify
Check if Vulnerable:
Inspect the login page source code for hard-coded credentials or attempt authentication with discovered hard-coded credentials.Check Version:
Check system administration interface or contact vendor for version information.Verify Fix Applied:
Verify hard-coded credentials are no longer present in source code and test authentication with previously known credentials fails.📡 Detection & Monitoring
Log Indicators:
- Authentication attempts using hard-coded credentials
- Unauthorized configuration changes
- Multiple failed login attempts followed by successful authentication
Network Indicators:
- Unusual authentication traffic to Dr.ID system from unexpected sources
- Configuration change requests from unauthenticated sources
SIEM Query:
source="dr.id" AND (event_type="authentication" AND result="success" AND user="[hard-coded-username]") OR (event_type="configuration_change" AND source_ip NOT IN [authorized_ips])