Subscriber Discussion

Premisys Hit With Multiple Zero-Day Disclosures On Its Access Control Software

Undisclosed #1

•Jan 15, 2019

IPVMU Certified

Cybersecurity firm Tenable Research on Tuesday disclosed multiple zero-dayvulnerabilities discovered in the PremiSys software developed by IDenticard, a company whose photo ID software and access control systems are widely used by federal, state, and local government agencies. The company also says its customers, which number in the tens of thousands, include K-12 schools, colleges and universities, as well as medical centers, factories, and an undisclosed number of Fortune 500 companies.

Reactions:

(3)

Undisclosed Integrator #2

•Jan 16, 2019

Curious .. where does all the NIST, HSDP-12, and FIPS201 cartwheel turning come into play when access systems are supposed to be tested for meeting some level of vulnerability. At what point does a Zero Day vulnerability enter the product? Is it hacked after release and propagated from there, or would it have been inherent in the actual product as it comes from the factory?

Reactions:

Undisclosed Integrator #2

•Jan 16, 2019

This is the excerpt from the CSO Online article by Ms. Smith that I find to be most disturbing if I'm Identicard:

Apparently, the vendor believed the best course of action was to ignore Tenable’s attempts at a coordinated disclosure. After 45 days, Tenable turned to CERT, which the vendor also ignored. Ninety days after trying to responsibly disclose the vulnerabilities, Tenable Research made its findings public.

Renaud Deraison, co-founder and CTO of Tenable, said, “Unfortunately, many manufacturers in the new world of IoT don’t always understand the risks of unpatched software, leaving consumers and enterprises vulnerable to a cyber attack. In this case, organizations that use PremiSys for access control are at a huge risk, as patches are not available.”

Reactions:

(1)