Girls Learn Cyber, Inc. (GLC) students conducted open source intelligence (OSINT) research on electronic key boxes via Shodan. In their research GLC students research found Key Systems, Inc. Global Facilities Management System (GFMS) software publicly available across various organizations. They then found the default admin username and PIN in a publicly available technical manual. Following the bug bounty rules of one organization, they tested the hardcoded admin credentials and successfully achieved administrator access of GFMS remotely.
From there, the GLC students found that one can greatly impact the availability and confidentiality of GFMS instances. Here are examples of what one can do upon using the hardcoded credentials:
View all usernames of keys
View full-names of owners of the keys
View the purpose of each key
Open or close the electronic key box of keys
Change the administrator credentials
Reboot the electronic key box
Change alarm settings
Change web server security settings
The above steps were replicated across multiple instances of GFMS. GLC students recommend GFMS users change the default username and PIN to better secure their systems.
Based off our previous work above on finding weaknesses on Global Facilities Management Software (GFMS), we submitted a CVE entry.
Here are the data we authored for this CVE:
Name of Affected Product: Global Facilities Management System
Affected Version: Version 3
Vendor: Key Systems, Inc.
CVE ID: CVE-2022-45766
Vulnerability Type: Improper Access Control
CWE ID: CWE-284
Attack Type: Remote
Impacts: Information Disclosure, Denial of Service
Description: Improper access control via hardcoded credentials in Global Facilities Management Software (GFMS) Version 3 software distributed by Key Systems Inc. permits remote attacks to impact availability, confidentiality, accessibility, and dependability of electronic key boxes.