A severe vulnerability has been discovered in Axis Communications' access control product, the Axis A1001 network door controller. The vulnerability, known as CVE-2023-21406, poses both physical and cybersecurity threats to facilities.
Axis Communications, a renowned Swedish security solutions provider, offers a range of physical security products that are widely used worldwide. The recently discovered flaw, rated as 'high severity', is a heap-based buffer overflow that affects the A1001 door controller. However, Axis promptly released patches and implemented additional security measures to address the vulnerability.
Both Axis Communications and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories to ensure organizations are informed about the vulnerability. The flaw is related to the Open Supervised Device Protocol (OSDP), a communication protocol that enables secure access control reader communication with the access controller.
The vulnerability was discovered by Ariel Harush and Roy Hodir, researchers at OTORIO, an industrial cybersecurity firm. Their research focused on assessing the security risks associated with access control readers and controllers, particularly the OSDP protocol. To exploit this vulnerability, an attacker would need physical access to the RS-485 twisted pair cable at the back of an access control reader, commonly found at entry of secured facilities.
Once exploited, an attacker gains the ability to open doors and tamper with the access controller. Additionally, the flaw allows for remote code execution on the internal access controller from outside the facility, potentially serving as a gateway to the internal IP network. OTORIO mentioned additional vulnerabilities were also found as part of this research and will release more details in addition to an OSDP assessment open source tool in the future.
The heap-based buffer overflow occurs in the pacsiod process responsible for OSDP communication, as stated in Axis Communications' advisory. Exploiting this vulnerability allows attackers to write data outside the allocated buffer, leading to arbitrary code execution and significant risk.
Axis has promptly released a patched version that addresses the vulnerability. CISA advises organizations to minimize network exposure for control system devices and isolate control system networks behind firewalls.
The discovery of this vulnerability underscores the importance of promptly applying patches and enhancing physical security measures for access control systems. Stay informed about the latest cybersecurity developments to ensure the protection of your facilities and networks.