ZKTeco Biometric System Found Vulnerable to 24 Critical Security Flaws


An examination of a hybrid biometric access system manufactured by ZKTeco, a Chinese company, has revealed twenty-four security vulnerabilities that could potentially allow attackers to bypass authentication, steal biometric data, and implant malicious backdoors.

According to Kaspersky, “Attackers can exploit vulnerabilities such as adding random user data to the database or using a counterfeit QR code to circumvent verification, gaining unauthorized access. Additionally, they can extract and expose biometric data, remotely manipulate devices, and install backdoors.”

The identified flaws encompass six SQL injections, seven stack-based buffer overflows, five command injections, four instances of arbitrary file writes, and two arbitrary file reads. Each type of vulnerability is summarized as follows:

  • CVE-2023-3938 (CVSS score: 4.6): SQL injection vulnerability triggered when displaying a QR code through the device’s camera by injecting a specially crafted request with a quotation mark, allowing an attacker to authenticate as any user in the database.
  • CVE-2023-3939 (CVSS score: 10.0): Command injection flaws enabling execution of arbitrary OS commands with root privileges.
  • CVE-2023-3940 (CVSS score: 7.5): Arbitrary file read vulnerabilities allowing unauthorized access to any file on the system, including sensitive user data and system configurations.
  • CVE-2023-3941 (CVSS score: 10.0): Arbitrary file write vulnerabilities enabling an attacker to write files on the system with root privileges, including manipulating the user database to insert unauthorized users.
  • CVE-2023-3942 (CVSS score: 7.5): SQL injection flaws permitting an attacker to insert malicious SQL code and perform unauthorized database operations, potentially compromising sensitive data.
  • CVE-2023-3943 (CVSS score: 10.0): Stack-based buffer overflow flaws facilitating execution of arbitrary code.

Georgy Kiguradze, a security researcher, emphasized the extensive impact of these vulnerabilities, stating, “The repercussions are alarmingly diverse. Attackers could profit from selling stolen biometric data on the dark web, increasing the risk of deepfake and sophisticated social engineering attacks.”

Moreover, successful exploitation of these vulnerabilities could enable malicious actors to breach restricted areas, implant backdoors, and infiltrate critical networks for cyber espionage or disruptive purposes.

Kaspersky, the Russian cybersecurity firm that identified these flaws through reverse engineering of the firmware (version ZAM170-NF-1.8.25-7354-Ver1.0.0) and the proprietary communication protocol, noted that it is unaware of any patches addressing these issues.

To mitigate the risk of exploitation, experts recommend segregating biometric reader usage into separate network segments, employing strong administrator passwords, enhancing device security configurations, minimizing QR code usage, and ensuring systems are regularly updated.

“When biometric devices, designed to enhance physical security, are inadequately secured,” Kaspersky cautioned, “they undermine the benefits of biometric authentication. Poorly configured terminals become vulnerable to straightforward attacks, compromising the physical security of critical areas within organizations.”

Source: thehackernews.com