CVE-2023-38950 Scanner

ZKTeco BioTime is an advanced time management software used widely across various sectors for efficient workforce management. Developed by ZKTeco, it is designed to facilitate biometric verification and attendance management. Organizations from small businesses to large enterprises implement this software to enhance security control and attendance accuracy. With its scalable deployment, BioTime is utilized both locally and internationally, adapting to various time-attendance needs. The software plays a significant role in efficient workforce administration by automating attendance tracking and monitoring. Moreover, the comprehensive integrations make it versatile in various operational scenarios.

The Path Traversal vulnerability in ZKTeco BioTime v8.5.5 allows an attacker to read arbitrary files from the server. This vulnerability, identified as CVE-2023-38950, arises due to insufficient input validation in the iclock API. As a result, unauthenticated attackers can gain unauthorized access to sensitive data. Exploiting the flaw could lead to data leakage and potential exposure of critical system files. Path Traversal is particularly critical as it might facilitate subsequent steps of an attack, such as system manipulation or code injection. Organizations using this software need to be aware of this severe vulnerability.

The technical root of the vulnerability lies in the request handling method wherein the application fails to sanitize user-supplied input properly. The vulnerability is centered in the iclock API, specifically when crafted payloads are supplied to the iclock/file endpoint. By using relative path traversal sequences, an attacker can access files outside the intended directories. The crafted requests exploit flaws in URL parameter processing, enabling file reading operations across unauthorized paths. This vulnerability potentially allows the exposure of system files integral to application operation.

Successful exploitation of the Path Traversal vulnerability could have severe consequences. It could lead to unauthorized access to sensitive configuration files, user data, and other critical information stored on the server. Attackers could leverage this information to mount further attacks against the application or the server. Potential information disclosure might include system credentials, leading to broader system compromises. Additionally, having access to the server’s content could facilitate privilege escalation attacks.

REFERENCES

• https://github.com/advisories/GHSA-4m8x-4g54-h49v
• http://zkteco.com
• https://claroty.com/team82/disclosure-dashboard/cve-2023-38950
• https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf
• https://nvd.nist.gov/vuln/detail/CVE-2023-38950