ZKTeco Admits Multiple Critical Vulnerabilities, No Fix Yet Available, Excuses Made
ZKTeco, PRC China's biggest access control company, is now admitting multiple critical vulnerabilities discovered by Kaspersky, announced two days ago, but in an email to IPVM, ZKTeco admits no fix is yet available while making excuses.
This report examines the practical risks and how ZKTeco's late response contains numerous excuses and fails to provide basic cybersecurity measures that even its PRC peers, such as Dahua and Hikvision, have done.
Executive *******
** *** ******** ****, ******'* ******** base ********* ******* **** *** *** costs. ** ****, ** ******* ***** three ******** ***************, *** ** ***** ones, **** *** ************* ****** ***** who ******* *** *** *** ****, as **** *** *** *** ***** and *********'* **** ******** ****. *******, in ******** ** ***** *** *********, ZKTeco's *** ***** **** ******* *** more ** ************* **** ****** ** demonstrating ****.
** *** ******** ****, *** **** number *** ********, **** ******'* **** response *** *******, ******** **** ** has *** ********* ****** ********* ** prioritized ************* ** ****. ******'* ********* to **** **-******, ********** ** *** West, ***** ********* ****** ** * *** *******, **** ****** ** ******** ** enterprise ***** *** *********** **** **** as * ******* *******.
ZKTeco ********
** ********* ******'* ******** ************* *****, and **** ********* **** * **** of ** "******** *********..." ** ** the **** ** **** ***********, **** statement *** *** *** **** ********* online, *** ** ****** **** **** soon ** **.
****** ****** **** **** **** **** begin ******* *** ***** *** **** in ** ****:
***** ******* **** ***** ******* *** on **** **** *** ******** ******** models, **** ******* *** ***** ****** to ****** ****** ** ******* ****.
****** *** *** ****** *** ******** about **** **** **** ***** **** aware ** **** ** *** **** devices **** ********. ********* *** *** say *** *** ** *** ***** if ** **** **** ********* ******.
****** ********* **** **** **** *** making ******* *** **** **** ** a ********** *****:
**’* ********* ** *********** **** *** challenge ** ******** *************** ** *** unique ** ******; ** ** *widespread ***** across the software and hardware industry. However, we do not take this as ** ******. Instead, we see it as a call to action—a reminder of our responsibility to you and all our users. [emphasis added]
** *** ********, ***** **** *** a ********** ***** ** *** *****, this **** ** *****-***** **** ************* discovery *** ****** *** **** ****** in *** **** **** ***** ** manufacturers **** ******** *************.
********, ****** **** *** **** ***** that ** *** ********** ******* ************* labs, ****** **** ** **** ** so ***** *******:
*********** *** ********** ** ********** *********** in ********,we **** ****** * *****-***** ************* *** to conduct regular audits of our systems [emphasis added]
** ****** *** ******* **** ***** so, ** ******* *** ****** *** severity ** *** *************** ***** ** far *****.
No **** ** ****** ********
******'* "******** *********" ****** **** **** references "******** ******** ******" ***, **********, does *** ********* ******** ******.
********* ***********'* ****** **********, *** ********** ******** / ******** is **** ******'******** ***** *** *** ****',******* **-*****,******* **-*******, *** "******** ******" **** *** ZAM170-NF-1.8.25-7354-Ver1.0.0 ********.
***** ********* ***** "******** *****," ** recommend ******* ** ** ** ******* for *********** ****** ******* ******* **********/******** to ***** *********/****, *** ***** **** practices ********* ** ********* *** ****** likely ** ****** ***** ******** ******* of *** ***** **** **** ****** that **** **** *** ******/*** ****** to.
**********
********* ** * *** **** ********* / ******** *** ****, ********* ***** critical (**.*), *** **** (*.*), *** one ****** (*.*) ******** ****** ***************. The ********* **** ** ** ******** exploiting **** ** *** *** *************** (all *** *** ****** / *.* vulnerability***-****-****) ** **** ** *** ******** does *** **** ** ** ************* and *** ******* ***** ******* ******** / **** *** *******, *** ******* examination ***** **** ** ***** **** due ** **** *********** *********.
***** *************** **** **** ***** ***** 2023, ** ********* ** ***** *** names, *.*., (***-****-****) *** *********'* **** posted / **** ********** ********* ** them *** **** ***.
************, *********'* ******** ** *** ******* them ********** ****** ** *** ******* responding ** *********** **** ****.
*********'* **** ***** *************** ** ******'******** **** *** ****',******* **-*************** **-*******; ** **** "******** ******" ***** be ********. ** ********* ******* ** it ** ****** ****** ***** *************** impact ***** ****** ********, ** ********, the ******** ********* **** ****** ******** products, *** **** * ****** ****** line.
ZkTeco **** * ******** ******** **** ****
****** *** **** *** "******** ********" ****** ** *** ******* from ****(******* ***** *****):
** ********, **** ************* ** *** industry **** ********* ********, ********, *** programs **** *** ********* *** ********** facing. ***** **** *** ****** *** researchers **** ** ** ** / when **** **** * ************* *** make **** ***** ** * ****** process.
Vulnerability ***** ***** ****
***** **** **** ********* ** */**/****, given ***** ***** / ******* ********, it ********* ***** *************** *** **** known / ********* (** ***** *********) since ****.
Breakdown ** ******** ******
** *****, * **** ****** **** not *** **** ******** ****** **** NVD, *** ********* **** *** ******** scores, *********:
- * ******** / **.****-****-****,***-****-**********-****-****
- * **** *.* -***-****-**********-****-****
- * ****** *.* -***-****-****
Largely ****** ** **** ***********
******* ** *** ***** ***************, ********* says *** "****" ******* ********* ************* allows ********* ** ********* ******** **** root ********** "*** ** ******** ******** of **** *****" *** "**** ***** are *** ******** *********," *********** **** development / ****** ********* *** ***** hygiene. *** ******* ** ***** *****:
3 ******** *************** ***************
***** ***************,***-****-****,***-****-****, ******-****-****, **** ******** * ******** ******** rating ** **.*. *** ********* ************ of ***** ******** *************** ****** ** considered **** ** **** *** ** exploited ******** ******* **************.
2 **** ***************
********* *** ******** ***-****-**** * **** severity ****** ** *.*. *** *************'* practical ************ ****** ** ********** ****, as ** *** ** ********* ********; however, ** ** **** ******* **** the ***** ***** ******** ***************, ** an ******** **** ****/******* *** **** paths.
********* *** ******** ***** ******** ****** ** *.* ** CVE-2023-3942. *** *************'* ********* ************ ****** be ********** **** ** ** *** be ********* ********. ** ** ******* vulnerability **** *** **** ********* *** to **** ***********, ** ********* ***** inputs ***** "********** *********" *** **** inputs ***** ******** "******* ****** ********** or ********."
1 ****** *************
***** ********* ******** ******* ******** ****** ** *.* ** CVE-2023-3938, *** ********* ************ ** *** vulnerability ****** ** ********** ***, ** it ******** *** ******** ** **** physical ****** ** *** ******.
Kaspersky *** **** ** *
****, *** ****** ********* ********* **** **** ** *(***** *****) **** ***** ** ***** own********** ********** **** *********** ***** ** *********** **********.
**** ** * ****** *** ******** from ******. ** ***** *** ********* specificity **** **** ********* **** (** enable ***** ** **** ********* ** product ******, ******** ********,***.) ** **** as ***** ******* *******. ******, ******** someone ***** ********* ** ******* "** *** **** **** ** ** excuse," **'* * ***** **** **** it ** ** ******.
**** ** *** **** ** ******** that *** ****** ** **** ** so *** **'* ********** (*** **********) rare *****.
**'* *********** **** ********* *** * PRC *******'* *************** ***** **** ***** **** ********* **** **** ******* ***********, ********* the *** (********* ** *** ***). Given*** "**-******" ******-***** **********, ** **** ******* ******* ************ trends **** ********* ***** ******* ********* so ******* ** * *** *******. If ********, **** ******** ***** *** work **** **** ********.
******* ***** ****** *** ***********? ** a ***** ***** *******, ****** ****** on ***** ********* *** ********** **** been *** *** *** **********. ******* a ******* **** ** *********?
*****, ***** ** *** *********** *** pattern ** *********** ****** ** *********, based ***********'* *********** ******** *****-***** *** ***** ****** ** ******. It's ***** **** ***********, *** ** believe **** ** *** **** ** a ********* ** ******'* **** ******** development ********* **** *********** **********.
**** **** ****** *** **************** ****************, **** **** *** *************** *****, vs *** **.* ******** *** *** lists. **** ***** ** ***** *** the ******** ** *** ******** ** view *** **** ** ******** ******. Of ******, ***** ** ** ********. And *** **** *********** *** ***** they ***** *************, *** **** ** manually ****** **** **** *** * USB *****, ***** **** ***** **** not "******* *** ****** ********* ** your *******".
#*, *** **** ** ** **. Jermaine ** ***** ** **** ** that. ******.
****** */**: ****** ******** * "****** update ************" ********* ***** ***************, ***** calling ******* **** *** ** **** "scheduled ****** *******":
** *** ********* ** *********** ********* and *********** *** ******** *** *********** of *** ********. ** **** ** these ******* *******, ** ***releasing * ********* ****** ****** for our standalone terminals and systems. [Emphasis added]
****** ***** ******* **** ******* "***** vulnerabilities." *******, ** ****, **** ** the *************** *** "*****," ** ***** of **** *** ******** **.*, *** are "****" *.*, *** *** ** "Medium" *.*. ** *****, ***** **** 24 ***************.
******:
Details ** *** ******:
****update ********* ***** *************** ********** in certain models of our ********** *********. For a detailed list of the affected models, please refer to the appendix of this notification. Additionally, the update enhances the overall performance and stability of these systems. [Emphasis Added]
****, ***** **** *** ** ***** to *** ******** ** *** ************, there ** ** **** ** ******** models / ********.
***** **** **** *** ************ ******* ZKTeco's ****** ********* *** *** *** they **** ** **. *** **** similar ******* *** *** ****** ******** of **** ****, ***** *** ******* will ***** ******* ***:
Schedule *** ************:
*** ******** ******* ****start ******* *** ** **** **** *** *** ****** ******** ******** ** ***** ***************, as specified in the appendix. Updates for other models will follow within the next 30 working days. [Emphasis added]
********* ** ****:
******** *******: ** ****** *** ********* of **** **********, ** *** ******** firmware ******* **** ** ****** ** all *** ******** *** *******.These ******* **** ***** ******* *** ** **** **** *** ******** ******** ******, **** ******* *** ***** ****** ** ****** ****** ** ******* ****. [Emphasis Added]
****: **** *** ********* ********** ******** from ******'* ***** **** *** **** expand **** ******** ** *** ****** days.
****, ******'* **** ****** ************ ****** on */** ** ****** *****:
****** ****** ************
****-**-**
System ****** ************
**** ****** *****,
** *** ********* ** *********** ********* and *********** *** ******** *** *********** of *** ********. ** **** ** these ******* *******, ** *** ********* a ********* ****** ****** *** *** standalone ********* *** *******.
Details ** *** ******:
**** ****** ********* ***** *************** ********** in ******* ****** ** *** ********** terminals. *** * ******** **** ** the ******** ******, ****** ***** ** the ******** ** **** ************. ************, the ****** ******** *** ******* *********** and ********* ** ***** *******.
Schedule *** ************:
*** ******** ******* **** ***** ******* out ** **** **** *** *** models ******** ******** ** ***** ***************, as ********* ** *** ********. ******* for ***** ****** **** ****** ****** the **** ** ******* ****.
**************:
***** *** ******** ** ******** ******** the ******** ******* **** **** *** support ****. *** ****** ****** **** be ******** ** *** ********* ***** a *** *****. **** ****** ******* that *** *********, ******* ********* ** the ******** ** ***, ******* *** update ******** *** ***********. ** **** ensured **** **** ****** ******* ** straightforward *** **** *** ******* *** normal ********* ** **** *******.
Security ************:
****** **** **** **** ********** ****** focuses ** ****** ******** ************ *** performance ************ *** ****** *******.
Recommended *******:
*** ******* ****** *********** *** ********, we ********* *** ***** ** ****** their ******* ** ***** ******** ***********. Comprehensive ************ *** *********** *** ******** the ******** *** *** **** ** available ** *** ******* ****.
*******:
** *** ******* ********** ****** *** update ******* ** **** *** *********, please ** *** ******** ** ******* our ******** ******* *********@******.***. *** **** ** ***** *** eager ** ****** *** **** *** issues *** *** *********.
** ********** **** *********** *** ************* as ** **** ** ****** **** our ******** ****** ****** *** ********.
***** *** *** ******** ******.
**** *******,
*** ****** ****
* *****’* ***** ** ****** **********, after ****** * ***** ****** **** look ***** *********** *** *’* ******** that ***** **** *** *****
** **** ****,****** ********** **** **** ******** ***** *** this:
****** ****** ********
****-**-**
**** ****** *****,
** *** ******* ** ******** **** the ****** ****** ******** ** *** systems **** **** ********** ********. *** team *** ********** ****** ** ******* the ************* *** ********* ** *** products ******* *********** ******** *** ******** updates.
What’s ***:
Bug *****: All known bugs have been addressed, ensuring improved performance and reliability.New Firmware and Software Versions: Updated versions are designed to enhance user experience and system compatibility.
Appendix ********* ******** ******:To clarify which models are affected by these updates, we have included an appendix in this communication. Please refer to this appendix to determine if your model requires the new firmware or software.
Action ********:To ensure optimal performance and security, we strongly recommend that all users update their systems with the latest firmware and software versions. The updates are now available for installation.
*******, *** ******** **** **** ***** to *** *** ***** ** **** page.
***** ** ******'* **** ********* **** its ************* **** ** **** ****, at *** **** ** *********** *** not **** ******** **********: