Trustwave identifies, remediates Uniguest kiosk vulnerability

Trustwave, a managed security service provider, disclosed July 11, 2019, that it has completed a six-month remediation process with Uniguest, following the discovery of a software flaw in one of the company's older kiosks. Originally identified by Adrian Pruteanu, senior security researcher at Trustwave SpiderLabs, during routine penetration testing, the vulnerability had the potential to expose guest information and log-in credentials to hackers, if left untreated.

In a July 11 blog post titled, "Hardcoded Credentials in Uniguest Kiosk Software lead to API Compromise," Pruteanu observed that Uniguest deploys self-attended solutions in hotel lobbies across North America. The machines are centrally managed and run a locked-down version of Windows that restricts users to basic tasks like web browsing and printing boarding passes.

"While providing some security consulting for a customer, I had the opportunity to do some research on one of these kiosks and discovered some serious vulnerabilities in a legacy unit that exposed credentials to the Uniguest Salesforce backend," Pruteanu wrote. "Now that these vulnerabilities have gone through our responsible disclosure process and fixed by Uniguest, we can discuss the technical details."

Successful collaboration

Karl Sigler, threat intelligence manager at Trustwave SpiderLabs, said the entire remediation process, from initial discovery to successful remediation, was exceptionally smooth, because security is a core value at Uniguest. Participants on both sides were equally committed to correcting flaws and securing the company's network.

"It's rare to find organizations that bake security into their system," Sigler said. "Uniguest is a market leader known for delivering a consistent, safe customer experience. They worked with us closely and took immediate action to resolve open issues."

Pruteanu provided the following project timeline and milestones:

• 2018-12-06 – Initial communication to Uniguest regarding findings
• 2019-02-08 - Uniguest investigates the issue internally
• 2019-03-18 - Uniguest responds with remediation steps taken
• 2019-03-25 - Remediation confirmed not complete and reported back to Uniguest
• 2019-04-11 - Additional findings reported to Uniguest
• 2019-04-30 - Uniguest responds with remediation steps taken
• 2019-04-30 - Additional issues confirmed to still be present
• 2019-06-11 - Uniguest remediates original and additional findings, but will leave the open API accessible
• 2019-07-11 - Advisory published

Monitor, detect, correct

Sigler additionally noted that it's not uncommon to find flaws in software; finding and fixing a failure point is not in itself a failure. "Finding a vulnerability is not a black eye," he said. "It's how you react to the situation that can make or break your reputation."

"All software has vulnerabilities to a greater or lesser degree," Pruteanu wrote. "A good judge of the security posture of any vendor is not if there are vulnerabilities are found in their products, but how quickly and seriously the vendor addresses those vulnerabilities."

Pruteanu agreed with Sigler that not all organizations are receptive to red flag notifications from third-party researchers like Trustwave. "Uniguest was a pleasure to work with during the disclosure process," he wrote. "They took the reports seriously, worked hard to address the issues on legacy products and had have taken steps like incorporating application and physical penetration testing to their product development lifecycle."

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.