ZDI-16-223: HID VertX/Edge Remote Code Execution Vulnerability

A security vulnerability has been discovered with HID Edge and VertX controllers that allow executing code remotely with root privileges. The vulnerability in question could be exploited using the controller’s UDP discovery service to inject commands into the controller, which in effect will compromise the controller’s security. Authentication is not required to exploit this vulnerability.

April 5, 2016

An attacker can leverage this vulnerability for example by sending unauthenticated UDP packets on the devices thereby unlocking all doors controlled by the devices. The following controller patch will address this security vulnerability.

NOTE: There are separate procedures for the HID Legacy and the HID EVO lines of products.

Vulnerability Number: ZDI-16-223

Legacy VertX/EDGE controllers

The Legacy HID controllers need to be running firmware version 2.2.7.300 or higher. Please review KBA1050 for instructions regarding the firmware upgrade of Legacy controllers. The firmware can be downloaded from KBA1137.

Procedure

  1. Download and extract the following patch, for Legacy controllers, to your workstation: VertX_EDGE-discoveryd. The extracted patch file "VertXEDGE227SP5-discoveryd" must be renamed to "discoveryd".
  2. Open a command prompt window. Log into the controller via Telnet, using the root account.
  3. Stop the discovery process by running the following command: "/etc/init.d/discovery stop".
    ZDI-16-223 Procedure
  4. Using Windows Explorer or a FTP Client, open a FTP session to the controller. Browse to the following location on the controller "/mnt/apps/bin/".
    ZDI-16-223 Procedure
  5. The existing 'discoveryd' file found on the controller will need to be replaced. Copy the patched version downloaded in Step 1, and overwrite the file found on the controller.
  6. Restart the discovery process. From the Telnet session opened in Step 2, run the following command: "/etc/init.d/discovery start".
    ZDI-16-223 Procedure

EVO Edge/VertX controllers

The EVO HID controllers need to be running firmware 3.3.1.1168 or higher. Please review KBA1134 for instructions and downloads regarding the firmware upgrade of EVO controllers.

Procedure

  1. Download and extract the following patch for EVO controllers, to your workstation: VertX_EDGE-EVO-discoveryd.
  2. Ensure the controller is running firmware version 3.3.1.1168 or higher.
  3. The extracted "VertxEdgeEVOdiscoveryd-2.0.0-1.arm.rpm" patch is applied in the same manner as a HID EVO controller firmware upgrade. Reference KBA1134 for the upgrade procedure.

For more information regarding this issue please refer to the following HID bulletin: Discovery Protocol Security Vulnerability Tech Bulletin.