Chinese hybrid biometric access systems provider ZkTeco is under scrutiny following a Kaspersky report revealing several new vulnerabilities in its products.
In a June 11 blog post, Kaspersky Security Assessment researchers revealed that they found 24 vulnerabilities in ZkTeco biometric readers, which are used in building access systems across different industries, including offices, hospitals and nuclear and chemical plants.
Some of these flaws mean that a nefarious actor can easily bypass the verification process and gain unauthorized access by adding random user data to the database or using a fake QR code. Attackers can also steal and leak biometric data, remotely manipulate devices, and deploy backdoors.
SQL Injections and Arbitrary File Reading
One of the newly discovered vulnerabilities, tracked as CVE-2023-3938, allows cybercriminals to perform a SQL injection, which involves inserting malicious code into strings sent to a terminal’s database.
Attackers can inject specific data into the QR code to access restricted areas. Consequently, they can gain unauthorized access to the terminal and physically access the restricted areas.
Additionally, CVE-2023-3940 involves flaws in a software component that permits arbitrary file reading.
Exploiting these vulnerabilities grants a potential attacker access to any file on the system and enables them to extract it. This includes sensitive biometric user data and password hashes to compromise the corporate credentials further.
Similarly, CVE-2023-3942 provides another way to retrieve sensitive user and system information from the biometry devices’ databases – through SQL injection attacks.
Command and Data Injection
Two other flaws discovered by Kaspersky, tracked as CVE-2023-3939 and CVE-2023-3943, enable the execution of arbitrary commands or code on some ZKTeco devices, granting the attacker complete control with the highest level of privileges.
This allows the threat actor to manipulate the device’s operation, leveraging it to launch attacks on other network nodes and expand the offense across a broader corporate infrastructure.
Finally, by exploiting CVE-2023-3941, threat actors can upload their own data, such as photos, thereby adding unauthorized individuals to the database.
This could enable them to bypass turnstiles or doors without getting noticed. Another critical feature of this vulnerability is that it allows perpetrators to replace executable files, potentially creating a backdoor.
All these vulnerabilities concern ZkTeco-based OEM devices, including ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME equipped with the ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others.
The Kaspersky researchers who found these flaws shared their findings with the Chinese manufacturer before disclosing them to the public.
Their severity remains unknown. No patches have been published at the time of writing.
Read more: Why Open Source May Hold the Key to Tackling NVD Overreliance