CloudAware Security Advisory

[CVE pending]: Potential PII leak and incorrect access control in Paxton 
Net2 software


========================================================================
Summary
========================================================================
Insecure backend database in the Paxton Net2 software. Possible leaking 
of PII incorrect access control.
No physical access to computer running Paxton Net2 is required.

========================================================================
Product
========================================================================
* Paxton Net2  (all current versions)

========================================================================
Detailed description
========================================================================
By exploiting MSSQL single usermode it is possible to gain administrator 
rights to the Net2 database. In this database
plaintext PIN codes for building entrance can be found and changed. It 
is also possible to add users to the system and
enable/disable users in the system. By reading tables in the MSSQL table 
PII is leaked. In order to gain access local
access to the computer running Net2 is necessary, but this can also be 
over a network using e.g. Anydesk which makes
physical access not necessary.
The vendor has not acknowledged the vulnerability after contact. There 
is no fix planned.

========================================================================
Solution
========================================================================
As the vendor has not acknowledged the vulnerability there is no 
effective remediation for this vulnerability.
The most effective measure at this moment is closely monitoring who has 
local access to the machine running the Net2
software.

========================================================================
Mitigation
========================================================================
There is no known effective mitigation. Limiting who has local access to 
the machine running the Net2 software seems
the most effective measure.

========================================================================
Weblinks
========================================================================
It has been decided not to release the exploit code yet as there is no 
mitigration possible. Discoverers are willing to
share exploit code at request to help with mitigration.

========================================================================
Discoverers
========================================================================
Jeroen Hermans, CloudAware j.hermans[at]cloudaware[dot]eu
Emiel van Berlo, Danego emiel[at]danego[dot]nl

========================================================================
History
========================================================================
Nov 12 2024: Requested latest Net2 software from Paxton
Nov 26, 2024: Obtained latest Net2 software for other source
Nov 26, 2024: Informed Paxton about vulnerability
Nov 27, 2024: Release of exploit code
Dec 2, 2024: Refused CVE reservation by Paxton & request of CVE 
reservation directly at Mitre