Evolution Controller Multiple Vulnerabilities
Executive Summary
Evolution Controller by CS Technologies is an access controller software for controller physical access (such as doors, elevators, garages) to facilities. The vulnerabilities detailed on this page could allow unauthenticated attackers to disclose information about sites and users, add users, open doors, and crash the application to prevent active monitoring. In cases where the application is exposed to the internet, the attacks could be conducted remotely. There is currently no patch available from the vendor, as they did not respond to the multiple attempts of the researcher's disclosure for 90 days. DirectCyber has also contacted CS Technologies prior to this publication to no avail. There are workarounds that should be actioned immediately to lower the risks of these vulnerabilities being exploited, listed below.Remediation
For end users for Evolution Controller, DirectCyber recommends these following actions:- If your EVO software is exposed to the internet and accessible remotely, take it off the internet and put it behind a separate network;
- Change the default password to a longer, hard to guess password;
- Contact your vendor for a patch;
- As a last resort, you could disable the web interface of Evolution Controller.
List of vulnerabilities
- CVE-2024-29836 Broken Authentication on USER_CHANGE in Evolution Controller allows unauthenticated account creation and takeover
CVSS 9.8 Vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - CVE-2024-29837 Poor session management in Evolution Controller allows administrator functionality for unauthenticated connections
CVSS 8.8 Vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - CVE-2024-29838 Unsanitised variable on DAL_ADD in Evolution Controller causes application level denial of service and crash
CVSS 7.5 Vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - CVE-2024-29839 Broken Access control on DESKTOP_EDIT_USER_GET_CARD in Evolution Controller allows unauthenticated attackers to retrieve card data values.
CVSS 7.5 Vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - CVE-2024-29840 Broken Access control on DESKTOP_EDIT_USER_GET_PIN_FIELDS in Evolution Controller allows unauthenticated attackers to retrieve PIN field values.
CVSS 7.5 Vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - CVE-2024-29841 Broken Access control on DESKTOP_EDIT_USER_GET_KEYS_FIELDS in Evolution Controller allows unauthenticated attackers to retrieve keys values.
CVSS 7.5 Vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - CVE-2024-29842 Broken Access control on DESKTOP_EDIT_USER_GET_ABACARD_FIELDS in Evolution Controller allows unauthenticated attackers to retrieve ABACARD values.
CVSS 7.5 Vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - CVE-2024-29843 Broken Access control on MOBILE_GET_USERS_LIST in Evolution Controller allows unauthenticated user enumeration
CVSS 7.5 Vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - CVE-2024-29844 Default credentials on web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below allows attackers to login and perform administrative functions.
CVSS 9.8 Vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
CVE-2024-29836 through to 29843 were reported by security researcher Adam Foster. You can find his writeup here.
DirectCyber decided to additionally publish CVE-2024-39844 (default credentials) during its own research and validation of the reported vulnerabilities.
Details
CVE-2024-29836
Broken Authentication on USER_CHANGE in Evolution Controller allows unauthenticated account creation and takeover
Details: The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control, allowing for an unauthenticated attacker to update and add user profiles within the application, and gain full access of the site.
CWE-284 Improper Access Control
CVSS 3.1: 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-29837
Poor session management in Evolution Controller allows administrator functionality for unauthenticated connections
Details: The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below uses poor session management, allowing for an unauthenticated attacker to access administrator functionality if any other user is already signed in.
CWE-1390: Weak Authentication
CWE-284: Improper Access Control
CVSS 3.1: 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-29838
Unsanitised variable on DAL_ADD in Evolution Controller causes application level denial of service and crash
Detail: The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below does not proper sanitize user input, allowing for an unauthenticated attacker to crash the controller software
CWE-457: Use of Uninitialized Variable
CWE-20: Improper Input Validation
CVSS 3.1: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2024-29839
Broken Access control on DESKTOP_EDIT_USER_GET_CARD in Evolution Controller allows unauthenticated attackers to retrieve card data values.
Detail: The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_CARD, allowing for an unauthenticated attacker to return the card value data of any user
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-284: Improper Access Control
CVSS 3.1: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2024-29840
Broken Access control on DESKTOP_EDIT_USER_GET_PIN_FIELDS in Evolution Controller allows unauthenticated attackers to retrieve PIN field values
Detail: The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_PIN_FIELDS, allowing for an unauthenticated attacker to return the pin value of any user
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-284: Improper Access Control
CVSS 3.1: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2024-29841
Broken Access control on DESKTOP_EDIT_USER_GET_KEYS_FIELDS in Evolution Controller allows unauthenticated attackers to retrieve keys values
Detail: The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_KEYS_FIELDS, allowing for an unauthenticated attacker to return the keys value of any user
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-284: Improper Access Control
CVSS 3.1: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2024-29842
Broken Access control on DESKTOP_EDIT_USER_GET_ABACARD_FIELDS in Evolution Controller allows unauthenticated attackers to retrieve ABACARD values
Detail: The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_ABACARD_FIELDS, allowing for an unauthenticated attacker to return the abacard field of any user
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-284: Improper Access Control
CVSS 3.1: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2024-29843
Broken Access control on MOBILE_GET_USERS_LIST in Evolution Controller allows unauthenticated user enumeration
Detail: The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on MOBILE_GET_USERS_LIST, allowing for an unauthenticated attacker to enumerate all users and their access levels
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-284: Improper Access Control
CVSS 3.1: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2024-29844
Default credentials on web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below allows attackers to login and perform administrative functions.
Detail: Default credentials on the Web Interface of Evolution Controller allows anyone to log in to the server directly to perform administrative functions. Upon installation or upon first login, the application does not ask the user to change the password. There is no warning or prompt to ask the user to change the default password.
CWE-1392: Use of Default Credentials
CVSS: 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H