Popular Visitor Management Systems exposed due to security bugs

• A total of 19 security vulnerabilities were discovered in five leading visitor management systems.
• The systems are Jolly Technologies' Lobby Track Desktop, HID Global's EasyLobby Solo, Threshold Security's eVisitorPass, Envoy's Envoy Passport, and The Receptionist.

Visitor Management Systems (VMS) are a norm in most private or public buildings. They play an essential role in the physical security of the premises of any organization. However, in a recent study, security researchers from IBM’s X-Force Red uncovered a string of security flaws present in visitor management systems(VMS).

X-Force Red is the penetration testing team of IBM. The research revealed vulnerabilities ranging from data exfiltration to complete system takeover by external entities.

What are the vulnerabilities?

The following are the vulnerabilities with the CVE number and a short description.

1. CVE-2018-17482 - Lobby Track Desktop visitor records information disclosure.
2. CVE-2018-17483 - Lobby Track Desktop driver’s license number information disclosure.
3. CVE-2018-17484 - Lobby Track Desktop database information disclosure.
4. CVE-2018-17485 - Lobby Track Desktop default account.
5. CVE-2018-17486 - Lobby Track Desktop visitor records security bypass.
6. CVE-2018-17487 - Lobby Track Desktop kiosk breakout privilege escalation.
7. CVE-2018-17488 - Lobby Track Desktop kiosk breakout privilege escalation.
8. CVE-2018-17489 - EasyLobby Solo social security number information disclosure.
9. CVE-2018-17490 - EasyLobby Solo task manager denial of service.
10. CVE-2018-17491 - EasyLobby Solo program privilege escalation.
11. CVE-2018-17492 - EasyLobby Solo default account.
12. CVE-2018-17493 - eVisitorPass Fullscreen button breakout privilege escalation.
13. CVE-2018-17494 - eVisitorPass Start Menu breakout privilege escalation.
14. CVE-2018-17495 - eVisitorPass Help Dialog privilege escalation.
15. CVE-2018-17496 - eVisitorPass kiosk privilege escalation.
16. CVE-2018-17497 - eVisitorPass admin credentials default account.
17. CVE-2018-17499 - Envoy Passport for Android and Envoy Passport for iPhone API key information disclosure.
18. CVE-2018-17500 - Envoy Passport for Android and Envoy Passport for iPhone OAuth Creds information disclosure.
19. CVE-2018-17502 - The Receptionist for iPad contacts information disclosure.

The methodology behind the research

Daniel Crowley, research director of IBM X-Force Red told ThreatPost about the methodology used by the researchers to analyze VMS.

“One, was how easy it is to get checked-in as a visitor without any sort of real identifying information. Secondly, we set out to see how easy is it to get other people’s information out of the system. And third, is there a way that an adversary can break out of the application, cause it to crash or get arbitrary code-execution to run on the targeted device and gain a foothold to attack the corporate network,” said Crowley.

Following the disclosure, the researchers have notified the respective VMS providers of these flaws.