IDEMIA’s Big Glitch: Critical Vulnerabilities Expose Biometric Terminals

IDEMIA, a prominent player in this field, recently issued an advisory that highlights critical vulnerabilities in its Access and Time Biometric Terminals.

The advisory, released in November 2023, focuses on multiple vulnerabilities affecting products like SIGMA Lite & Lite+, SIGMA Wide, SIGMA Extreme, MorphoWave Compact/XP, VisionPass, and MorphoWave SP. These vulnerabilities, classified with a critical security rating, pose risks such as unauthorized access, data leakage or manipulation, and denial of services.

Sive vulnerabilities were highlighted in the advisory, with four classified as critical due to their potential for remote code execution. These vulnerabilities – CVE-2023-33218, CVE-2023-33219, CVE-2023-33220, and CVE-2023-33222 – range in severity, with CVSS scores going as high as 9.1. They stem from issues like missing integrity checks, stack buffer overflows, and heap buffer overflows, posing serious risks to the integrity and confidentiality of data.

The advisory delineates sivedistinct vulnerabilities, each with its unique risk profile:

1. CVE-2023-33217: This vulnerability, characterized by a missing integrity check on the upgrade package, presents a high risk (CVSS:3.1 score of 7.5). It could lead to permanent denial of service, requiring the device to be returned to the manufacturer for recovery.
2. CVE-2023-33218 & CVE-2023-33219: Both vulnerabilities involve stack buffer overflows that could potentially lead to remote code execution on targeted devices. With a CVSS:3.1 score of 9.1, they are classified as critical.
3. CVE-2023-33220: Similar to the previous ones, this critical vulnerability (CVSS:3.1 score of 9.1) allows for a stack buffer overflow during retrofit validation, potentially leading to remote code execution.
4. CVE-2023-33221 (CVSS:3.1 7.8) & CVE-2023-33222 (CVSS 9.1): These vulnerabilities relate to buffer overflows when reading DESFire cards, with varying levels of access complexity and potential for remote code execution.

At the heart of these vulnerabilities is a common theme: the lack of boundary checks when manipulating buffers or improper check of firmware update file structure.

In response to these discoveries, IDEMIA has released firmware updates to mitigate these risks. The advisory specifies the non-vulnerable firmware versions for each affected product, urging users to update their devices promptly. Additionally, the advisory provides workarounds for mitigating risks, including the activation of mTLS on devices and diversified DESFire keys usage.