CVE-2022-45766: The Key to Keeping Keys Safe

Girls Learn Cyber, Inc. (GLC) students conducted open source intelligence (OSINT) research on electronic key boxes via Shodan. In their research GLC students research found Key Systems, Inc. Global Facilities Management System (GFMS) software publicly available across various organizations. They then found the default admin username and PIN in a publicly available technical manual. Following the bug bounty rules of one organization, they tested the hardcoded admin credentials and successfully achieved administrator access of GFMS remotely.

From there, the GLC students found that one can greatly impact the availability and confidentiality of GFMS instances. Here are examples of what one can do upon using the hardcoded credentials:

• View all usernames of keys

• View full-names of owners of the keys

• View the purpose of each key

• Open or close the electronic key box of keys

• Change the administrator credentials

• Reboot the electronic key box

• Change alarm settings

• Change web server security settings

The above steps were replicated across multiple instances of GFMS. GLC students recommend GFMS users change the default username and PIN to better secure their systems.

Based off our previous work above on finding weaknesses on Global Facilities Management Software (GFMS), we submitted a CVE entry.

Here are the data we authored for this CVE:

• Name of Affected Product: Global Facilities Management System

• Affected Version: Version 3

• Vendor: Key Systems, Inc.

• CVE ID: CVE-2022-45766

• Vulnerability Type: Improper Access Control

• CWE ID: CWE-284

• Attack Type: Remote

• Impacts: Information Disclosure, Denial of Service

• Description: Improper access control via hardcoded credentials in Global Facilities Management Software (GFMS) Version 3 software distributed by Key Systems Inc. permits remote attacks to impact availability, confidentiality, accessibility, and dependability of electronic key boxes.