Positive Technologies Uncovers Vulnerabilities in IDEMIA Biometric Identification Devices

Positive Technologies Uncovers Vulnerabilities in IDEMIA Biometric Identification Devices-01

Positive Technologies researchers, Natalia Tlyapova, Sergey Fedonin, Vladimir Kononovich, and Vyacheslav Moskvin have discovered three vulnerabilities in the firmware of IDEMIA MoprhoWave, VisionPass, SIGMA and MorphoAccess from vendor, IDEMIA, a global leader in Augmented Identity.The devices affected are designed to organize access control through biometric identification, and the flaws have been patched by the vendor.

By exploiting these vulnerabilities, attackers can perform remote command execution, cause a denial of service, and read and write arbitrary files on the device.

The first vulnerability (CVE-2021-35522), which has a CVSS v3 score of 9.8, signifying critical severity, would allow attackers to remotely execute arbitrary code. It is a Buffer Overflow vulnerability, which occurs through the lack of a length check in the input received from the Thrift protocol network packet.

Also Read: Seven Steps to Ease the Transition to a Hybrid IT Workplace

Vladimir Nazarov, Head of ICS Security, Positive Technologies, says: “Exploitation of this vulnerability allows attackers to bypass the biometric identification provided by the IDEMIA devices listed above. As a result, criminals can remotely open doors controlled by the device and enter secured areas.”

The second flaw (CVE-2021-35520, score 6.2) is a Heap Overflow vulnerability in the serial port handler. If attackers have physical access to the serial port, they can cause denial of service.

The third issue (CVE-2021-35521, score 5.9) is a Path Traversal vulnerability. When this is exploited, it allows the reading and writing of arbitrary files, which may in turn lead to unauthorized execution of privileged commands on the device.

Check Out The New Enterprisetalk Podcast. For more such updates follow us on Google News Enterprisetalk News.

Previous articleReplicated Raises $50M Series C to Double Down on Multi-Prem Software Delivery
Next articlePricefx Expands Customer Roster with Major Wins in the First Half of 2021 Based on Strong Growth in Partner Ecosystem