CVE-2020-17474 – This vulnerability allows attackers to reuse au... (How to Fix)

Q: What is the severity of CVE-2020-17474?

CVE-2020-17474 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to reuse authentication tokens to perform unauthorized administrative actions in ZKTeco biometric systems. Affected systems include ZKTeco FaceDepot 7B version 1.0.213 and ZKBiosecurity Server version 1.0.0_20190723. Attackers can create new users, elevate privileges, delete users, and download biometric face data.

📋 TL;DR

This vulnerability allows attackers to reuse authentication tokens to perform unauthorized administrative actions in ZKTeco biometric systems. Affected systems include ZKTeco FaceDepot 7B version 1.0.213 and ZKBiosecurity Server version 1.0.0_20190723. Attackers can create new users, elevate privileges, delete users, and download biometric face data.

💻 Affected Systems

Products:

ZKTeco FaceDepot 7B
ZKBiosecurity Server

Versions: FaceDepot 7B 1.0.213, ZKBiosecurity Server 1.0.0_20190723

Operating Systems: Windows (based on typical ZKTeco deployments)

Default Config Vulnerable: ⚠️ Yes

Notes: These are specific biometric access control and security management systems used for facial recognition and user management.

📦 What is this software?

Facedepot 7b Firmware by Zkteco

View all CVEs affecting Facedepot 7b Firmware →

Zkbiosecurity Server by Zkteco

View all CVEs affecting Zkbiosecurity Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to create administrator accounts, delete legitimate users, exfiltrate biometric face data, and maintain persistent access to the biometric security system.

🟠

Likely Case

Unauthorized administrative access leading to privilege escalation, user account manipulation, and potential biometric data theft from the database.

🟢

If Mitigated

Limited impact if systems are isolated from untrusted networks and have strict access controls, though the vulnerability remains present in the software.

🌐 Internet-Facing: HIGH - Systems exposed to the internet are directly vulnerable to remote exploitation without authentication.

🏢 Internal Only: HIGH - Even internally, any attacker with network access can exploit this vulnerability to gain administrative control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability involves token reuse which typically requires minimal technical skill to exploit once understood. No authentication is required to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check with ZKTeco for updated versions

Vendor Advisory: https://www.zkteco.com/ (contact vendor directly as no public advisory found)

Restart Required: Yes

Instructions:

1. Contact ZKTeco support for patched versions. 2. Backup system configuration and data. 3. Apply vendor-provided updates. 4. Restart the affected services or systems. 5. Verify functionality after update.

🔧 Temporary Workarounds

Network Isolation

all

Isolate affected systems from untrusted networks and implement strict firewall rules

Access Control Lists

all

Implement IP-based access restrictions to limit which systems can communicate with the vulnerable services

🧯 If You Can't Patch

Segment the network to isolate biometric systems from general corporate networks
Implement strict monitoring and alerting for unauthorized administrative actions on these systems

🔍 How to Verify

Check if Vulnerable:

Check system version in the software interface: FaceDepot 7B should show version 1.0.213, ZKBiosecurity Server should show 1.0.0_20190723

Check Version:

Check through the software GUI or configuration files as these are Windows applications with no standard CLI version check

Verify Fix Applied:

Verify the version number has changed from the vulnerable versions after applying vendor updates

📡 Detection & Monitoring

Log Indicators:

Unexpected user creation events
Privilege escalation events
Administrative actions from non-admin IP addresses
Multiple failed authentication attempts followed by successful administrative actions

Network Indicators:

Unusual API calls to user management endpoints
Traffic patterns suggesting token reuse attacks
Requests to download face data from unauthorized sources

SIEM Query:

source="zkteco_logs" AND (event_type="user_creation" OR event_type="privilege_change") AND NOT user="authorized_admin"

📊 Metadata

CVE ID: CVE-2020-17474

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-613

Published: August 14, 2020

Last Updated: November 21, 2024

🔗 References

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/8134/zkteco-facedepot-7b-10213-and-zkbiosecurity-server-10020190723-improper-privilege-vulnerability Exploit,Third Party Advisory
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/8134/zkteco-facedepot-7b-10213-and-zkbiosecurity-server-10020190723-improper-privilege-vulnerability Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-17474, you might also want to check these: