Overview
This vulnerability was discovered in May of 2017.
T2 Systems is a parking systems provider to multiple different organizations. NDSU uses it via the North Dakota University System contract. NDSU uses it to allow employees and students to buy parking permits for certain lots. According to the T2 webpage, other institutions use it to check if scanned license plates are allowed to park in certain lots.
Vulnerability
Workflow for NDSU employees and students to renew their parking permits was to log into the appropriate PeopleSoft system. Then to navigate to the parking system. At the time, as part of the step to get to choose the parking information, a Duo MFA was triggered for employees. Choose the institution to park at, then passed to the T2 Systems parking application without further authentication.
Looking at the network traffic showed that the entire request to authenticate against the parking system was:
POST https://ndus.t2hosted.com/cmn/auth.aspx
Post Data:
EMPLID[#######]
INST[NDSU]
Testing with a willing coworker resulted in me being able to directly access their records with only knowledge of their EMPLID. EMPLID is likely not a secret value across most users. There were no other tokens in use.
Impacts
At NDSU, how the system is used is reduces the impacts. Information from other universities suggested that individuals registered their license plates in the system, and those were checked by scanners. An attacker could easily remove valid license plates and/or add their own to other records. This also would allow an attacker to translate EMPLIDs to license plates via this system.
Resolution
NDUS in August 2017 move their T2 Systems parking integration over to SAML2.
There is no way to protect the original authentication mechanism which passes moderately well know values as its secret without any sort of cryptographic protection.
Communication
2017-05-16 NDUS notified and responsed
2017-05-16 T2 Systems Notified and responded
2017-05-18 last communication from T2 Systems
2017-08-14 NDUS switches to SAML