ZKTeco Biometric System Found Vulnerable to 24 Critical Security Flaws

ZKTeco Biometric System Found Vulnerable to 24 Critical Security Flaws



An analysis of a hybrid biometric access system from Chinese manufacturer ZKTeco has uncovered two dozen security flaws that could be used by attackers to defeat authentication, steal biometric data, and even deploy malicious backdoors.

"By adding random user data to the database or using a fake QR code, a nefarious actor can easily bypass the verification process and gain unauthorized access," Kaspersky said. "Attackers can also steal and leak biometric data, remotely manipulate devices, and deploy backdoors."

The 24 flaws span six SQL injections, seven stack-based buffer overflows, five command injections, four arbitrary file writes, and two arbitrary file reads. A brief description of each vulnerability type is below -

  • CVE-2023-3938 (CVSS score: 4.6) - An SQL injection flaw when displaying a QR code into the device's camera by passing a specially crafted request containing a quotation mark, thereby allowing an attacker to authenticate as any user in the database
  • CVE-2023-3939 (CVSS score: 10.0) - A set of command injection flaws that allows for execution of arbitrary OS commands with root privileges
  • CVE-2023-3940 (CVSS score: 7.5) - A set of arbitrary file read flaws that allows an attacker to bypass security checks and access any file on the system, including sensitive user data and system settings
  • CVE-2023-3941 (CVSS score: 10.0) - A set of arbitrary file write flaws that allows an attacker to write any file on the system with root privileges, including altering the user database to add rogue users
  • CVE-2023-3942 (CVSS score: 7.5) - A set of SQL injection flaws that allows an attacker to inject malicious SQL code and perform unauthorized database operations and siphon sensitive data
  • CVE-2023-3943 (CVSS score: 10.0) - A set of stack-based buffer overflow flaws that allows an attacker to execute arbitrary code

"The impact of the discovered vulnerabilities is alarmingly diverse," security researcher Georgy Kiguradze said. "To begin with, attackers can sell stolen biometric data on the dark web, subjecting affected individuals to increased risks of deepfake and sophisticated social engineering attacks."