We have released the software patch, identified as PremiSys™ version 4.1, to resolve the CVE-2019-3906 vulnerability reported by Tenable. This patch removes the hardcoded credential and replaces it with a unique system-generated password for each session.
The patch is available to all PremiSys and PremiSys ID users at no charge. IDenticard Access Control systems integrator partners and PremiSys ID direct customers may request a link to PremiSys v4.1 here. PremiSys access control users should contact their systems integrator partners to request PremiSys v4.1.
The ICS-CERT advisory has been updated to reflect that this issue has been resolved. Additionally, an update to the advisory posted on Tenable’s website may be found here. We are planning to release patches for CVE-2019-3907 and CVE-2019-3908 in February 2019.
January 18, 2019
We have evaluated the concerns reported by Tenable and have identified several actions to improve the PremiSys™ System and address the common vulnerabilities and exposures (CVEs) noted in their report.
Tenable Identified Issues
IDenticard PremiSys Actions
|CVE-2019-3906: Hardcoded Credentials (Admin Access to Service)||IDenticard will be releasing a patch to remove the hardcoded credential and replace it with a unique system-generated password for each session. We anticipate quality testing for the patch next week with release to follow immediately upon validation.|
|CVE-2019-3907: Weak Hashing/Encryption||The current encryption method used for authentication will be replaced with a stronger method such as SHA 256 or bcrypt. The patch release is estimated for release by February 2019.|
|CVE-2019-3908: Hardcoded Password||The hardcoded password for backup files will be removed in a future release, which is estimated for February 2019. We will provide recommended best practice options for securing backup files to system administrators.|
|CVE-2019-3909: Default Database Credentials (Full Access to Service Databases)||System administrators should contact their authorized IDenticard reseller or IDenticard Technical Support directly at (800) 220-8096 for assistance with replacing the default username and password. The PremiSys™ application will be modified to require the end user to configure their unique username and password.|
We will be making these patches available at no charge to all users of the PremiSys™ System as they are released.
January 15, 2019
We take the issues identified by Tenable, a leading third-party cyber security research company, seriously and are looking to incorporate their feedback into our ongoing product development cycle. PremiSys System software is constantly evolving and we appreciate the diligence Tenable outlined in their messages to us.
At IDenticard, we pride ourselves in listening and responding to our customers. Regrettably, we overlooked the communication attempts from Tenable. This is unacceptable for us and we are currently reviewing our inbound communication practices to ensure it does not happen in the future. We welcome further communication from Tenable regarding this matter.
The safety and security of our customers is our first priority. As a global leader in security and identification solutions, IDenticard is committed to continuous improvement and addressing customer concerns. As part of our ongoing agile software development process, we anticipate releasing improvements in the near term and will keep our customers updated with how those improvements address Tenable’s concerns.