IDenticard > About Us > News & Events > News > Update on Response to Tenable Report about PremiSys™ System   

Update on Response to Tenable Report about PremiSys™ System

We have released the second software patch, identified as PremiSys v4.2, that resolves the following vulnerabilities that were identified in the Tenable report:

Tenable Identified Issues

IDenticard PremiSys Actions

CVE-2019-3907: Weak Hashing/Encryption The previous hashing method used for authentication has been replaced with a stronger password hashing algorithm.
CVE-2019-3908: Hardcoded Password The Backup/Restore utility has been revised to support user-specified passwords. The hardcoded password for backup files has been removed.

 

The patch is available to all PremiSys and PremiSys ID users at no charge. IDenticard® Access Control systems integrator partners and PremiSys ID direct customers may request a link to PremiSys v4.2 here. PremiSys access control users should contact their systems integrator partners to request PremiSys v4.2.

The ICS-CERT advisory has been updated to reflect that this issue has been resolved. Additionally, an update to the advisory posted on Tenable’s website may be found here.


January 31, 2019

We have released the software patch, identified as PremiSys™ version 4.1, to resolve the CVE-2019-3906 vulnerability reported by Tenable. This patch removes the hardcoded credential and replaces it with a unique system-generated password for each session.

The patch is available to all PremiSys and PremiSys ID users at no charge. IDenticard Access Control systems integrator partners and PremiSys ID direct customers may request a link to PremiSys v4.1 here. PremiSys access control users should contact their systems integrator partners to request PremiSys v4.1.

The ICS-CERT advisory has been updated to reflect that this issue has been resolved. Additionally, an update to the advisory posted on Tenable’s website may be found here. We are planning to release patches for CVE-2019-3907 and CVE-2019-3908 in February 2019.


January 18, 2019

We have evaluated the concerns reported by Tenable and have identified several actions to improve the PremiSys™ System and address the common vulnerabilities and exposures (CVEs) noted in their report.

Tenable Identified Issues

IDenticard PremiSys Actions

CVE-2019-3906: Hardcoded Credentials (Admin Access to Service) IDenticard will be releasing a patch to remove the hardcoded credential and replace it with a unique system-generated password for each session. We anticipate quality testing for the patch next week with release to follow immediately upon validation.
CVE-2019-3907: Weak Hashing/Encryption The current encryption method used for authentication will be replaced with a stronger method such as SHA 256 or bcrypt. The patch release is estimated for release by February 2019.
CVE-2019-3908: Hardcoded Password The hardcoded password for backup files will be removed in a future release, which is estimated for February 2019. We will provide recommended best practice options for securing backup files to system administrators.
CVE-2019-3909: Default Database Credentials (Full Access to Service Databases) System administrators should contact their authorized IDenticard reseller or IDenticard Technical Support directly at (800) 220-8096 for assistance with replacing the default username and password. The PremiSys™ application will be modified to require the end user to configure their unique username and password.

 

We will be making these patches available at no charge to all users of the PremiSys™ System as they are released.


January 15, 2019

We take the issues identified by Tenable, a leading third-party cyber security research company, seriously and are looking to incorporate their feedback into our ongoing product development cycle. PremiSys System software is constantly evolving and we appreciate the diligence Tenable outlined in their messages to us.

At IDenticard, we pride ourselves in listening and responding to our customers. Regrettably, we overlooked the communication attempts from Tenable. This is unacceptable for us and we are currently reviewing our inbound communication practices to ensure it does not happen in the future. We welcome further communication from Tenable regarding this matter.

The safety and security of our customers is our first priority. As a global leader in security and identification solutions, IDenticard is committed to continuous improvement and addressing customer concerns. As part of our ongoing agile software development process, we anticipate releasing improvements in the near term and will keep our customers updated with how those improvements address Tenable’s concerns.