Attackers can use SQL injection to bypass authorization and steal data.
Kaspersky Lab has discovered 24 vulnerabilities in biometric terminals of the international manufacturer ZKTeco. These breaches can be used by attackers to bypass access control systems, physically enter protected areas, steal biometric data, make changes to databases, and install backdoors.
ZKTeco biometric readers are used in a variety of industries around the world, including nuclear power plants, industrial plants, offices, and healthcare facilities. They support four authentication methods: biometric (using facial recognition), password, electronic pass, and QR code. The terminals can store the biometric data of thousands of people. All identified vulnerabilities were grouped and registered by Kaspersky Lab specialists, and information about them was passed on to the manufacturer.
One of the vulnerabilities (CVE-2023-3938) can be used to gain physical access to restricted areas. It is associated with the possibility of conducting cyber attacks based on SQL injection, which allows attackers to inject malicious data into the QR code. When processing such a request, the system mistakenly recognizes it as coming from a legitimate user, which allows unauthorized access to the terminal and, accordingly, to protected areas.
The company said that there is another possibility of cheating the system. If an attacker gains access to the device's database, they can download a photo of a legitimate user, print it out, and use it to trick the terminal's camera. However, to successfully implement this method, you must disable the thermal sensors on the device.
Another group of vulnerabilities (CVE-2023-3940) allows attackers to gain access to any file on the system, including sensitive biometric data and password hashes, which can compromise corporate credentials. However, the interpretation of stolen biometric data is very difficult.
Another vulnerability (CVE-2023-3941) allows attackers to make changes to the device's database, for example, upload their own photos and add themselves to the list of authorized users. In addition, this vulnerability allows you to replace executable files, which makes it possible to install backdoors.
Two other vulnerabilities (CVE-2023-3939 and CVE-2023-3943) allow you to execute arbitrary commands or code on the device, giving attackers full control with the highest level of privileges. This poses a threat to the entire corporate infrastructure, as the device can be used to attack other network nodes.
Kaspersky Lab has discovered 24 vulnerabilities in biometric terminals of the international manufacturer ZKTeco. These breaches can be used by attackers to bypass access control systems, physically enter protected areas, steal biometric data, make changes to databases, and install backdoors.
ZKTeco biometric readers are used in a variety of industries around the world, including nuclear power plants, industrial plants, offices, and healthcare facilities. They support four authentication methods: biometric (using facial recognition), password, electronic pass, and QR code. The terminals can store the biometric data of thousands of people. All identified vulnerabilities were grouped and registered by Kaspersky Lab specialists, and information about them was passed on to the manufacturer.
One of the vulnerabilities (CVE-2023-3938) can be used to gain physical access to restricted areas. It is associated with the possibility of conducting cyber attacks based on SQL injection, which allows attackers to inject malicious data into the QR code. When processing such a request, the system mistakenly recognizes it as coming from a legitimate user, which allows unauthorized access to the terminal and, accordingly, to protected areas.
The company said that there is another possibility of cheating the system. If an attacker gains access to the device's database, they can download a photo of a legitimate user, print it out, and use it to trick the terminal's camera. However, to successfully implement this method, you must disable the thermal sensors on the device.
Another group of vulnerabilities (CVE-2023-3940) allows attackers to gain access to any file on the system, including sensitive biometric data and password hashes, which can compromise corporate credentials. However, the interpretation of stolen biometric data is very difficult.
Another vulnerability (CVE-2023-3941) allows attackers to make changes to the device's database, for example, upload their own photos and add themselves to the list of authorized users. In addition, this vulnerability allows you to replace executable files, which makes it possible to install backdoors.
Two other vulnerabilities (CVE-2023-3939 and CVE-2023-3943) allow you to execute arbitrary commands or code on the device, giving attackers full control with the highest level of privileges. This poses a threat to the entire corporate infrastructure, as the device can be used to attack other network nodes.
