CVE-2023-21406

Name of the Vulnerable Software and Affected Versions AXIS A1001 (affected versions not specified)

Description The issue is related to a heap-based buffer overflow in the pacsiod process, which handles Open Supervised Device Protocol (OSDP) communication. This allows an attacker to write outside the allocated buffer by appending invalid data to an OSDP message, potentially enabling the execution of arbitrary code. The vulnerability could be exploited by an attacker with physical access to the RS-485 interface, located on the back panel of the reader, to unlock doors and modify logs without detection. Additionally, the vulnerability could be used for remote code execution on the internal access controller from outside the target facility through the serial communication channel between the reader and the controller.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.