ZKTeco Biometric System has been discovered to have 24 critical security vulnerabilities.
An analysis of a hybrid biometric access system manufactured by ZKTeco in China has revealed twenty-four critical security vulnerabilities. These flaws could potentially allow attackers to circumvent authentication, steal biometric data, and implant malicious backdoors.
According to Kaspersky, attackers could exploit these vulnerabilities by injecting random user data into the database or using counterfeit QR codes to bypass authentication and gain unauthorized access. The risks extend to the theft and exposure of biometric data, remote manipulation of devices, and the installation of backdoors.
The vulnerabilities encompass six SQL injections, seven stack-based buffer overflows, five command injections, four instances of arbitrary file writes, and two cases of arbitrary file reads. Each type of vulnerability poses significant security risks, as outlined in their respective CVE entries:
- CVE-2023-3938 (CVSS score: 4.6): SQL injection flaw allowing authentication bypass via crafted requests.
- CVE-2023-3939 (CVSS score: 10.0): Command injection flaws enabling execution of OS commands with root privileges.
- CVE-2023-3940 (CVSS score: 7.5): Arbitrary file read vulnerabilities permitting unauthorized access to sensitive files.
- CVE-2023-3941 (CVSS score: 10.0): Arbitrary file write vulnerabilities facilitating unauthorized modifications to system files.
- CVE-2023-3942 (CVSS score: 7.5): SQL injection vulnerabilities for unauthorized database operations.
- CVE-2023-3943 (CVSS score: 10.0): Stack-based buffer overflow flaws enabling execution of arbitrary code.
Georgy Kiguradze, a security researcher, emphasized the broad impact of these vulnerabilities, including the potential sale of stolen biometric data on illicit markets and the heightened risk of deepfake and social engineering attacks against affected individuals.
The vulnerabilities were identified through reverse engineering of the firmware (version ZAM170-NF-1.8.25-7354-Ver1.0.0) and the proprietary communication protocol used by the device. However, it remains unclear whether ZKTeco has addressed these issues with patches.
To mitigate these risks, experts recommend isolating biometric reader usage on separate network segments, implementing strong administrator passwords, enhancing device security configurations, minimizing QR code usage, and ensuring systems are regularly updated.
Kaspersky cautioned that while biometric devices are designed to bolster physical security, inadequately secured devices can undermine the benefits of biometric authentication, leaving organizations vulnerable to straightforward attacks that compromise physical security measures.