SRA Security Advisory

Brivo Access Control Systems

Feb 19, 2024

Summary

SRA has identified multiple vulnerabilities in Brivo Access Control Systems that can lead to the disclosure of sensitive system data and allow degradation or bypass of critical system functions.

 

CVE Identifiers

CVE ID CVE NAME
CVE-2023-6259  Local Access to Sensitive Data  
CVE-2023-6260  Web UI OS Command Injection 

 

 

Vulnerability Details / Description

CVE-2023-6259 – Local Access to Sensitive Data

An attacker with physical access to the ACS100 or ACS300 devices can access sensitive data from device memory that can be used to conduct additional attacks.

Severity

The CVSS severity level of this vulnerability has been calculated to be 7.1 (High)
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2023-6260 – Web UI OS Command Injection

ACS300 (Physical Access)

An attacker with physical access to ACS300 devices can perform a command injection attack via the web UI and gain access to sensitive data that can be used to conduct additional attacks.

Severity

The CVSS base score of this vulnerability has been calculated to be 7.4 (High) for the physical access scenario:

CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

 

ACS100 (Adjacent Network Access)

An attacker with local network access to ACS100 devices can perform a command injection attack via the web UI and gain access to sensitive data that can be used to conduct additional attacks.

Severity

The CVSS severity level of this vulnerability has been calculated to be 9.0 (High) for the adjacent network access scenario:

CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

 

Affected Versions and Models

Affects models ACS100, ACS300. Models ACS6000 and ACSSDC may also be affected.

Severity

Affects firmware versions from 5.2.4 but before 6.2.4.3. Versions prior to 5.2.4 may also be affected.

 

MITRE CWE Weakness Enumeration

CWE-284: Improper Access Control

CWE-522: Insufficiently Protected Credentials

CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

 

Remediation Options

Update affected devices to firmware version 6.2.4.3. Contact Brivo or your reseller for more information.

 

Source

These vulnerabilities were discovered by Krzysztof Grochal and Gabe Siftar, as part of a research initiative for Security Risk Advisors’ internal hardware penetration testing team.

 

Timeframe

October 9, 2023 – SRA attempts initial contact with Brivo.

November 9, 2023 – SRA shares vulnerability details with Brivo’s product security team.

November 29, 2023 – SRA reserves CVE IDs.

December 15, 2023 – Brivo releases fix to production.