Positive Technologies researchers, Natalia Tlyapova, Sergey Fedonin, Vladimir Kononovich, and Vyacheslav Moskvin have discovered three vulnerabilities in the firmware of IDEMIA MoprhoWave, VisionPass, SIGMA and MorphoAccess from vendor, IDEMIA, a global leader in Augmented Identity.The devices affected are designed to organize access control through biometric identification, and the flaws have been patched by the vendor.
By exploiting these vulnerabilities, attackers can perform remote command execution, cause a denial of service, and read and write arbitrary files on the device.
The first vulnerability (CVE-2021-35522), which has a CVSS v3 score of 9.8, signifying critical severity, would allow attackers to remotely execute arbitrary code. It is a Buffer Overflow vulnerability, which occurs through the lack of a length check in the input received from the Thrift protocol network packet.
Vladimir Nazarov, Head of ICS Security, Positive Technologies, says: “Exploitation of this vulnerability allows attackers to bypass the biometric identification provided by the IDEMIA devices listed above. As a result, criminals can remotely open doors controlled by the device and enter secured areas.”
The second flaw (CVE-2021-35520, score 6.2) is a Heap Overflow vulnerability in the serial port handler. If attackers have physical access to the serial port, they can cause denial of service.
The third issue (CVE-2021-35521, score 5.9) is a Path Traversal vulnerability. When this is exploited, it allows the reading and writing of arbitrary files, which may in turn lead to unauthorized execution of privileged commands on the device.