OVERVIEW Key Systems Electronic Key Lockers contain a command injection vulnerability which may allow a remote unauthenticated attacker to inject commands into the electronic key locker. Key Systems Electronic Key Lockers also contains weak authentication which could allow an attacker administrative access to the electronic key locker. DESCRIPTION Key Systems Electronic Key Lockers run a management listener on tcp/1010 which is used for communication between the electronic key locker and the master authentication server. It is possible for an attacker to send plaintext commands to tcp/1010 to have the electronic key locker perform various functions such as unlock/lock the physical device or change the device's configuration. The Key Systems Electronic Key Locker also contains a web server which is vulnerable to weak authentication. The authentication credentials required to log into the web server are a username (default is “admin”) and a 4 digit PIN number which can be easily brute-forced using a HTTP GET request, http://x.x.x.x/?Function=Auth&authorize=on&uid=admin&login=5555. The web interface allows for the user to unlock/lock the device and to change the configuration. IMPACT An unauthenticated remote attacker with network access to the Key Systems Electronic Key Locker can perform various functions such as unlock/lock the physical device to gain physical access to the contents of the locker, or change the device's configuration, or brute-force web server management user accounts. WORKAROUNDS Restrict access As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from accessing a Key Systems Electronic Key Locker using stolen credentials from a blocked network location. REFERENCES http://www.keystorage.com/electroniccabinets.htm NOTE: This was reported to CERT and was about to be published, but the vendor stated that this is a non-standard, non-default configuration so it was not published. The fact is that it can be configured and used in this way and I think lots of clients probably do.