Executive Summary

Summary
Title Hanvon facial recognition (Face ID) devices do not authenticate commands
Informations
Name VU#767044 First vendor Publication 2014-05-20
Vendor VU-CERT Last vendor Modification 2014-05-20
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:C/A:P)
Cvss Base Score 8.3 Attack Range Network
Cvss Impact Score 8.5 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#767044

Hanvon facial recognition (Face ID) devices do not authenticate commands

Original Release date: 20 May 2014 | Last revised: 20 May 2014

Overview

Hanvon facial recognition (Face ID) devices possibly running software versions prior to 1.007.110 could allow an unauthenticated attacker to modify user and access control information.

Description

CWE-306: Missing Authentication for Critical Function

It has been reported that Hanvon biometric facial recognition devices running software versions prior to 1.007.110 do not authenticate network connections or API commands. Hanvon devices provide a plain-text management protocol/API on port 9922/tcp. An attacker with network access can connect to devices using telnet or a similar terminal or TCP socket utility, with no authentication.

It has been reported the following devices are affected: F710, F810, FA007, FK800, and earlier series. It is possible that all Hanvon facial recognition devices could be affected.

Impact

An unauthenticated attacker with network access to vulnerable devices on 9922/tcp could create, modify, and delete user and access control information. This could allow the attacker to bypass authentication and authorization for physical access or time and attendance tracking.

Solution

Update

It has been reported that this vulnerability has been addressed in software version 1.007.110. Affected users are advised to contact their device provider, integrator, or Hanvon to obtain updated software.

Restrict Access

As a general good security practice, only allow connections from trusted hosts and networks. Consider running sensitive access control systems on a separate network.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Hanvon Technology CoAffected-07 May 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base8.3AV:N/AC:M/Au:N/C:P/I:C/A:P
Temporal6.2E:POC/RL:OF/RC:UR
Environmental2.0CDP:MH/TD:L/CR:ND/IR:H/AR:ND

References

  • http://www.hanvon.com/En/products/FaceID/technology/index.html
  • http://www.hanvon.com/en/products/FaceID/products/index.html
  • http://cwe.mitre.org/data/definitions/306.html

Credit

Thanks to Kelvin Tan Thiam Teck for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs:CVE-2014-2938
  • Date Public:20 May 2014
  • Date First Published:20 May 2014
  • Date Last Updated:20 May 2014
  • Document Revision:16

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/767044

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-287 Improper Authentication

CPE : Common Platform Enumeration

TypeDescriptionCount
Hardware 4
Os 1
Os 1
Os 1
Os 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2014-07-17 00:24:56
  • Multiple Updates
2014-05-24 00:24:31
  • Multiple Updates
2014-05-23 05:25:37
  • Multiple Updates
2014-05-20 21:21:04
  • First insertion