Positive technologies Researchers Natalia Tlyapova, Sergey Fedonin, Vladimir Kononovich and Vyacheslav Moskvin discovered three vulnerabilities in IDEMIA MoprhoWave, VisionPass, SIGMA and MorphoAccess firmware from provider IDEMIA, a global leader in augmented identity. Affected devices are designed to organize access. control by biometric identification, and the defects have been corrected by the supplier.
By exploiting these vulnerabilities, attackers can execute remote commands, trigger a denial of service, and read and write arbitrary files on the device.
The first vulnerability (CVE-2021-35522), which has a CVSS v3 score of 9.8, signifying critical severity, would allow attackers to remotely execute arbitrary code. This is a Buffer Overflow vulnerability, which occurs due to the failure to verify the length in the input received from the Thrift protocol network packet.
Read also: Seven steps to ease the transition to a hybrid IT workplace
Vladimir Nazarov, ICS Security Manager, Positive Technologies, says: “Exploitation of this vulnerability allows attackers to bypass the biometric identification provided by the IDEMIA devices listed above. As a result, criminals can remotely open doors controlled by the device and enter secure areas. “
The second vulnerability (CVE-2021-35520, score 6.2) is a heap overflow vulnerability in the serial port manager. If attackers have physical access to the serial port, they can cause a denial of service.
The third issue (CVE-2021-35521, score 5.9) is a Path Traversal vulnerability. When exploited, it allows reading and writing of arbitrary files, which in turn can lead to the unauthorized execution of privileged commands on the device.