Cybersecurity specialists report the discovery of multiple vulnerabilities in biometric access control devices developed by French multinational IDEMIA. According to the report, successful exploitation of these vulnerabilities would allow threat actors to deploy remote code execution (RCE), denial of service (DoS), and arbitrary file writing attacks.
Vladimir Nazarov, a researcher at Positive Technologies, mentions: “Cybercriminals can open doors controlled by affected devices remotely and access restricted areas in private companies and government organizations.” Nazarov’s team identified a total of three flaws residing in VisionPass facial recognition devices, MorphoWave and SIGMA fingerprint reading products, and MA VP MD fingerprint reading devices.
The first flaw was identified as CVE-2021-35522 and was described as a buffer overflow bug that would allow hackers to execute remote code. Apparently, the flaw exists due to the absence of length verification on the received entries of the Thrift package; the vulnerability received a score of 9.8/10 on the Common Vulnerability Scoring System (CVSS) scale.
The second flaw, identified as CVE-2021-35520, is a stack overflow error in the serial port driver that could lead to a DoS condition. The vulnerability received a CVSS score of 6.2/10 and is considered of low severity as its exploitation requires physical access to the affected device.
Finally, experts mention that CVE-2021-35521 is a path-traversing vulnerability that would allow threat actors to read and write arbitrary files to the affected devices, allowing arbitrary commands to be executed.
The flaws were reported to the manufacturer according to guidelines established by the cybersecurity community. IDEMIA announced that all three vulnerabilities have already been addressed; Full reports of these flaws and their updates are available on official platforms.
Flaws can be corrected using the usual process to upgrade the device to secure versions of IDEMIA’s software, although there are also workarounds to mitigate the risk of exploitation.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.