ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others
Impact: The described vulnerabilities allow you to write any file on the system with root privileges
Access Vector: Remote
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10.0
CVE-2023-3941
The vulnerabilities reported involve unrestricted file writing due to improper verification of user-supplied input in multiple system components:
-
Handler for User Photo Upload Command (Port 4370/TCP): This component allows files to be written to any specified path because the file names, taken directly from incoming network data, are not checked for manipulations like directory traversal.
-
Handler for Picture Upload Command (Port 4370/TCP): Similar to the photo upload functionality, this part also accepts file paths from user data without ensuring their legitimacy. This oversight could allow unauthorized altering of any file on the system.
-
**Cloud Service Command Handlers in library:
- Command for Advanced File Placement: This function fails to validate the destination file paths dictated by the cloud server, permitting files to be placed or replaced anywhere on the system.
- Basic File Placement Command: Like the advanced placement, this routine also does not scrutinize the file paths provided by user inputs, leading to potential unauthorized file overwrites.
Each of these vulnerabilities is severe due to their potential to allow an attacker complete control over the filesystem, especially problematic since the affected processes have root access.
Apply patch from vendor when it will be available for your device.
Vulnerability was discovered by Georgy Kiguradze from Kaspersky.