ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others
Impact: Since all the found command implementations are executed from the superuser, their impact is the maximum possible
Access Vector: Remote
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10.0
CVE-2023-3939
Multiple command injection vulnerabilities exist in two components of a system: an executable handling TCP connections and a shared library processing cloud server messages. Both components allow execution of arbitrary OS commands with root privileges due to insecure handling of user input. Specific vulnerabilities include:
- Handler for User Photo Delete and Handler for Picture Delete Commands: User-supplied file names are not properly sanitized before being used in system commands, allowing execution of arbitrary commands.
- Cloud Service Command Handlers (PushCommandExecute): Several functions mishandle user input from the cloud, allowing execution of arbitrary commands via specially crafted server responses.
All vulnerabilities exploit improper input validation and the use of the system function, posing severe security risks.
Apply patch from vendor when it will be available for your device.
Vulnerability was discovered by Georgy Kiguradze from Kaspersky.