This Bio-metrics System from ZKTeco is Susceptible to 24 Critical Security Weaknesses
An examination of a combined biometric entry system from ZKTeco, a company based in China, has disclosed twenty-four security vulnerabilities that could potentially be exploited by malicious entities to sidestep authentication processes, pilfer biometric records, and even introduce illicit backdoor entries.
“Through the addition of fabricated user details into the database or the utilization of a counterfeit QR code, a malevolent actor can effortlessly circumvent the verification steps and gain unauthorized entry,” remarked Kaspersky stated. “Attackers could also exfiltrate and expose biometric data, remotely manage devices, and embed backdoors.”
These twenty-four vulnerabilities encompass six SQL injections, seven buffer overflows, five command injections, four file writes, and two file reads. Here is a succinct overview of each type of vulnerability:
- CVE-2023-3938 (CVSS score: 4.6) – A SQL injection weakness when projecting a QR code through the device’s camera by sending a custom-built request with a quotation mark, allowing an attacker to authenticate as any user in the database
- CVE-2023-3939 (CVSS score: 10.0) – A series of command injection susceptibilities enabling the execution of arbitrary OS commands with root permissions
- CVE-2023-3940 (CVSS score: 7.5) – A group of file read vulnerabilities that enables an intruder to work around security barriers and retrieve any file on the system, including confidential user information and system configurations
- CVE-2023-3941 (CVSS score: 10.0) – A range of file write vulnerabilities that permits an attacker to compose any file on the system with root privileges, including tampering with the user database to insert unauthorized users
- CVE-2023-3942 (CVSS score: 7.5) – Multiple SQL injection vulnerabilities that enable an attacker to introduce malevolent SQL code and carry out unlawful database operations, as well as pilfer sensitive data
- CVE-2023-3943 (CVSS score: 10.0) – A group of buffer overflow vulnerabilities permitting an attacker to run arbitrary code
“The repercussions of these identified vulnerabilities are exceedingly diverse,” stated security researcher Georgy Kiguradze. “Primarily, wrongdoers could traffic purloined biometric data in the concealed corners of the internet, exposing affected individuals to elevated risks of deepfakes and intricate social engineering attacks.”
If these vulnerabilities are successfully exploited, malevolent actors could gain entry into otherwise restricted areas and even implant backdoor entries to infiltrate critical networks for cyber espionage or disruptive activities.
The Russian cybersecurity organization, upon reverse engineering the firmware (version ZAM170-NF-1.8.25-7354-Ver1.0.0) and the private protocol employed for device communication, acknowledged that there is no confirmation whether these vulnerabilities have been rectified.
To mitigate the risks of breaches, it is advised to segregate the use of biometric readers into a distinct network segment, utilize strong administrator passcodes, enhance device security configurations, reduce the reliance on QR codes, and ensure systems are kept up to date.
“Biometric devices aimed at enhancing physical security can both provide convenient, beneficial features and introduce new vulnerabilities to your IT infrastructure,” according to Kaspersky mentioned.
“When sophisticated technology like biometrics is enclosed within a poorly fortified device, it significantly diminishes the advantages of biometric validation. Consequently, an incorrectly configured terminal becomes susceptible to straightforward attacks, making it simple for an intruder to breach the physical security of the organization’s vital areas.”
About Author
