CVE-2023-3942

Vulnerability

Details

This vulnerability is an SQL injection (SQLi) present in ZkTeco-based OEM devices such as the ZkTeco ProFace X and Smartec ST-FR043/ST-FR041ME. The root cause is the improper sanitization of user-controlled input before its use in constructing SQL queries, specifically within the WHERE clause of the device's database query functions. The flaw affects firmware ZAM170-NF-1.8.25-7354-Ver1.0.0 and the Standalone service v. 2.1.6-20200907, and possibly other versions [1].

Exploitation

The attack surface is the device's network interface; the vulnerability is remotely exploitable without any authentication (CVSS vector AV:N/AC:L/PR:N). An attacker can send crafted input to the vulnerable parameters. In some cases, the input length is limited, leading to a restricted injection, while in other instances the input size is sufficient to inject arbitrary SQL commands [1].

Impact

Successful exploitation allows an attacker to read sensitive data from the device's database, including user information and system parameters. In some attack scenarios, the attacker can impersonate another user or perform other unauthorized actions on the system. The CVSS v3 score is 7.5 (High) with a confidentiality impact of High [1].

Mitigation

As of the advisory's publication, no vendor patch had been released. The recommended action is to apply a patch from the vendor when it becomes available. The advisory does not list a workaround [1]. This vulnerability is not known to be on the CISA KEV list at the time of writing.