IDEMIA MoprhoWave

Main article: Biometric identification technologies

2022: Correcting the vulnerability to circumvent biometric identification

The critical vulnerability of VU-2021-004, rated 9.1 on the CVSS v3 scale, was discovered by Positive Technologies experts Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich and Vyacheslav Moskvin. Devices found in error are used in large financial institutions of the world, universities, health organizations, and critical infrastructure. Forced use of TLS for the control protocol will eliminate the risk of bypassing biometric identification. This was reported by PT on January 14, 2022.

Vulnerability was identified in several lines of biometric readers for the IDEMIA MCDS, equipped with both fingerprint scanners and combined devices analyzing fingerprints and vein patterns. The attacker can potentially penetrate the protected area or block the operation of access control systems, "said Vladimir Nazarov, head of the safety department of industrial control systems at Positive Technologies.

A remote attacker can use the following commands without authentication:

• trigger_ relay command to open a door or turnstile if the terminal directly controls them
• or the terminal_reboot command to cause a denial of service.

To resolve the vulnerability, users must activate and correctly configure the TLS protocol according to section 7 of the IDEMIA Safe Installation Guidelines. In one future version of the firmware, IDEMIA will make TLS activation mandatory by default.

The following devices are vulnerable:

• MorphoWave Compact MD;
• MorphoWave Compact MDPI;
• MorphoWave Compact MDPI-M;
• VisionPass MD;
• VisionPass MDPI;
• VisionPass MDPI-M;
• SIGMA Lite (all variants);
• SIGMA Lite + (all variants);
• SIGMA Wide (all variants);
• SIGMA Extreme;
• MA VP MD.

In July 2021, IDEMIA fixed three vulnerabilities discovered by Positive Technologies experts.

2021: Addressing three vulnerabilities

IDEMIA fixed three vulnerabilities discovered by Positive Technologies experts Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich and Vyacheslav Moskvin. One of the vulnerabilities turned out to be critical. Errors were detected in the firmware of IDEMIA devices series MoprhoWave, VisionPass, SIGMA, MorphoAccess, which are designed to organize access control using biometric identification. This was reported by RT on July 22, 2021.

Using these vulnerabilities, the attacker can access the remote execution of commands, cause a denial of service to the device, as well as read and write arbitrary files on it.

The first security flaw of CVE-2021-35522 (CVSS v3 rating 9.8, critical risk) can allow an attacker to remotely execute arbitrary code. The error refers to the buffer overflow class and is due to the absence of a length check for input data received from a Thrift network packet.

By operating this vulnerability, you can bypass biometric identification the IDEMIA devices listed above. As a result, the attacker can, for example, remotely open the doors controlled by the device and enter the protected area, "says Vladimir Nazarov, head of the security department of Positive Technologies industrial control systems.

The second CVE-2021-35520 vulnerability (estimated at 6.2) is an overflow in the serial port handler heap. If you have physical access to the serial port, you can cause the device to be denied service.

The third vulnerability CVE-2021-35521 (rating 5.9) belongs to the class "out of directory." The error allows you to read and write arbitrary files. These capabilities allow unauthorized execution of privileged commands on the device.

To eliminate the possibility of operating detected vulnerabilities, it is necessary to install the latest version of the firmware, available on the official IDEMIA website.