Flaws in biometric hardware have since been patched
Vulnerabilities in biometric access control devices manufactured by IDEMIA could lead to remote code execution (RCE), denial of service, and the reading and writing of arbitrary files, researchers have warned.
“Exploitation of this vulnerability allows attackers to bypass the biometric identification provided by the IDEMIA devices,” said Vladimir Nazarov, head of ICS security at Positive Technologies.
“As a result, criminals can, for example, remotely open doors controlled by the device and enter secured areas.”
Researchers from Positive Technologies identified three vulnerabilities affecting some versions of facial recognition device VisionPass, fingerprint-reading products MorphoWave and SIGMA, and finger vein/fingerprint-reading MA VP MD devices.
The first (CVE-2021-35522), a critical buffer overflow flaw with a CVSS score of 9.8, could allow attackers to remotely execute arbitrary code.
It occurs through the lack of a length check in the input received from the Thrift protocol network packet, a blog post explains.
The second bug (CVE-2021-35520, CVSS 6.2) is a heap overflow vulnerability in the serial port handler, which can cause denial of service – but only if the attacker has physical access to the serial port.
The third vulnerability (CVE-2021-35521, CVSS 5.9) is a path traversal bug which can allow an attacker to read and write arbitrary files on an affected device, potentially allowing unauthorized execution of privileged commands.
All three vulnerabilities have been patched by the vendor, which has released a security advisory (PDF) detailing the fixes and all affected devices.
The vulnerabilities can be fixed by using the usual process to update the device to the non-vulnerable software, French multinational IDEMIA explained.
However, users can mitigate against it via an “application of TLS server authentication on the device and feeding it with the public certificate of the access control server mitigate the aforementioned vulnerabilities”.