Kaspersky Researchers Flag Numerous Security Vulnerabilities in ZKTeco Access Control Systems

Kaspersky researchers have found 24 vulnerabilities in biometric devices made by ZKTeco, which are used in various settings like offices, hospitals, and even nuclear and chemical plants. The security flaws can allow attackers to bypass the biometric verification process and gain unauthorized access.

One major issue, known as CVE-2023-3938, lets hackers insert malicious code into the system’s database through a process called SQL injection. An SQL injection is a type of cyberattack in which malicious code is inserted into an SQL query through input fields on a web application. By exploiting this flaw, attackers can manipulate the database, gaining unauthorized access to sensitive information, altering data, or executing administrative operations.

Another vulnerability, CVE-2023-3940, involves flaws that let attackers read any file on the system, including potentially sensitive biometric information and password data, further compromising security.

CVE-2023-3942 is another SQL injection flaw that allows attackers to access sensitive data from the devices’ databases. Additionally, CVE-2023-3939 and CVE-2023-3943 allow hackers to execute arbitrary commands on the devices, giving them complete control over the system and enabling them to launch broader attacks on the network.

Lastly, CVE-2023-3941 lets attackers upload their own data, such as photos, into the system, which can then be used to bypass security checks and gain access to restricted areas. This flaw also allows the replacement of executable files, potentially creating backdoors for future attacks.

The Kaspersky teams says these vulnerabilities affect various ZKTeco models, including the company’s ProFace X and Smartec solutions. Kaspersky has reported these issues to the company, but no patches have been released yet.

Source: Infosecurity Magazine

–

June 13, 2024 – by Ali Nassar-Smith