Skip to Main ContentSkip to Footer
Advisory

Incorrect Access Control in AMAG Technologies Symmetry Edge Network Door Controllers

Secureworks Security Advisory 2017-001

December 9, 2017

Advisory Information

  • CVE: CVE-2017-16241
  • Severity: High
  • CVSS v3: 9.3
  • Discovered by: Mike Kelly and John Mocuta of Secureworks

Summary

Incorrect access control in AMAG Technology Symmetry Door Edge Network Controllers enables remote attackers to execute door controller commands (e.g., lock, unlock, add ID card value) by sending unauthenticated requests to affected devices via serial communication over TCP/IP. By monitoring TCP network traffic between the legitimate AMAG Symmetry SMS physical access control server and the EN-1DBC and EN-2DBC networked door controllers, Secureworks researchers were able to reverse engineer the basic data structure of the network communication.


Download the PDF: Secureworks Security Advisory 2017-001

PGP Signature

ABOUT THE AUTHOR
COUNTER THREAT UNIT RESEARCH TEAM
Secureworks Counter Threat Unit™ (CTU) researchers frequently serve as expert resources for the media, publish technical analyses for the security community, and speak about emerging threats at security conferences. Leveraging Secureworks’ advanced security technologies and a network of industry contacts, the CTU™ research team tracks threat actors and analyzes anomalous activity, uncovering new attack techniques and threats. This process enables CTU researchers to identify threats as they emerge and develop countermeasures that protect customers before damage can occur.
Back to more Threat Analyses and Advisories