HID Global SAFE Vulnerability - 20230302002

Overview

The WA SOC has observed a vulnerability on the External Visitor Manager portal of HID's SAFE versions 5.8.0 through 5.11.3 as vulnerable to manipulation within web fields in the application programmable interface (API). An attacker could log in using account credentials available through a request generated by an internal user and then manipulate the visitor-id within the web API to access the personal data of other users.

There is no limit on the number of requests that can be made to the HID SAFE Web Server, so an attacker could also exploit this vulnerability to create a denial-of-service condition.

What is the vulnerability?

CVE-2023-2904 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H).

What is vulnerable?

The vulnerability exists in the following products:

• HID SAFE: Versions 5.8.0 through 5.11.3 using the optional and separately licensed Visitor Manager Portal

What has been observed?

There is no evidence of exploitation affecting Western Australian Government Facilities, Transportation, Commercial Facilities or Healthcare at the time of publishing. CISA has listed this vulnerabilty in their MODIFICATION OF ASSUMED-IMMUTABLE DATA CWE-471 catalog.

Recommendation

The WA SOC encourages users and administrators to review the HID Product Security advisories page for more information, apply the necessary patch, and validate systems against the indicators of compromise listed in the advisories for affected product. The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected portals: https://www.hidglobal.com/documents/safe-visitor-manager-portal