A recent discovery by a group of security researchers at Positive Technologies revealed that a critical vulnerability could have allowed hackers to bypass the doors and turnstiles of several high-profile institutions and organizations.
The issue at hand concerns IDEMIA’s ACS-equipped biometric readers, where a critical vulnerability — when exploited — may allow unauthorized access to protected areas and the deactivation of access control systems.
Critical Vulnerability in IDEMIA Biometric Identification
The details in PTSecurity’s recent security alert reveal that the issue is very serious. A vulnerability score that exceeds nine points on the CVSS v3 scale (Common Vulnerability Scoring System version 3) indicates that this is a severe threat.
The flaw has been identified by security researchers Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich, and Vyacheslav Moskvin in several biometric reader products. Particularly of note is “the IDEMIA ACS equipped with fingerprint scanners and combined devices that analyze fingerprints and vein patterns,” stated Vladimir Nazarov, Head of ICS Security at Positive Technologies.
Three security vulnerabilities in total have been registered in the CVE system (Common Vulnerabilities and Exposures): CVE-2021-35522, CVE-2021-35521, and CVE-2021-35520, the first being categorized as critical. According to IDEMIA’s official Security Bulletin, vulnerability CVE-2021-35522 is a “Stack-based Buffer Overflow” security flaw. The flaw allows a remote attacker operating from the network to exploit a stack buffer overflow “on some thrift command handling functions to perform a remote code execution on a device running the vulnerable firmware.”
Hackers can use specific commands to gain control
According to IDEMIA’s Security Bulletin, this security issue may compromise the data stored on a device, as well as cause unavailability if the TLS protocol is left disabled. While the other vulnerabilities (Heap-based Buffer Overflow and Relative Path Traversal) have been categorized as “medium,” they all confirm that a remote attacker (hacker) can compromise a vulnerable device.
More in-depth information reveals that a remote attacker can use the commands “trigger_relay” and “terminal_reboot” to unlock doors or turnstiles as well as cause a denial of service.
List of affected devices
PTSecurity’s official list of affected devices are as follows;
- MorphoWave Compact MD
- MorphoWave Compact MDPI
- MorphoWave Compact MDPI-M
- VisionPass MD
- VisionPass MDPI
- VisionPass MDPI-M
- SIGMA Lite (all versions)
- SIGMA Lite+ (all versions)
- SIGMA Wide (all versions)
- SIGMA Extreme
- MA VP MD
Security Bulletin Describes How to Mitigate The Vulnerability
To eliminate the security threats discovered by threat intelligence, PTSecurity recommends that the TLS protocol is enabled and correctly configured per Section 7 of IDEMIA’s Secure Installation Guidelines.
PTSecurity also confirmed that future device firmware versions will have TLS activation set as mandatory by default to eliminate future cybersecurity risks.
About PTSecurity And IDEMIA
Positive Technologies (PTSecurity) is a leading global enterprise cybersecurity provider that has a history of mitigating serious cybersecurity incidents relating to some of the highest-level organizations, such as Google, Cisco, Honeywell, Microsoft, and Siemens. The company, headquartered in Moscow, Russia, with eight other office locations across eight countries, offers cybersecurity solutions that span from IoT devices to nuclear power stations.
Due to geopolitical tensions and the distrust forming after the historic SolarWinds incident, Russian cybersecurity specialist PTSecurity was placed on a United States entity list of blacklisted tech companies in the Spring of last year. A host of Chinese organizations were blacklisted last December.
IDEMIA is a company based in France that offers identity-related security services such as biometric identification products, facial recognition, and proprietary software to governments and private companies. This is not the first time the company has experienced buffer overflow and path traversal vulnerabilities relating to access control. A previous instance led them to release fixes last year in July.
IDEMIA’s “IDEMIA physical Access Control devices,” like the MorphoWave XP, are used by “the world’s largest financial institutions, universities, healthcare organizations, and critical infrastructure facilities.”