CVE-2021-35522
📋 TL;DR
A critical buffer overflow vulnerability in Thrift command handlers in IDEMIA biometric devices allows remote attackers to execute arbitrary code, cause denial of service, or disclose sensitive information via specially crafted TCP/IP packets. This affects Morpho Wave Compact, VisionPass, Sigma, and MA VP MD devices with outdated firmware. The vulnerability is remotely exploitable without authentication.
💻 Affected Systems
- Morpho Wave Compact
- VisionPass
- Sigma
- MA VP MD
📦 What is this software?
Morphowave Compact Mdpi Firmware by Idemia
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete device compromise, credential theft, lateral movement to internal networks, and persistent backdoor installation.
Likely Case
Denial of service causing biometric authentication systems to become unavailable, disrupting physical access control and security operations.
If Mitigated
Limited impact if devices are isolated in protected network segments with strict firewall rules and intrusion prevention systems.
🎯 Exploit Status
The vulnerability requires sending crafted TCP/IP packets to the Thrift service port. No authentication is needed, making exploitation straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Morpho Wave Compact and VisionPass: 2.6.2; Sigma: 4.9.4; MA VP MD: 4.9.7
Vendor Advisory: https://biometricdevices.idemia.com/s/global-search/0696700000JJa0zAAD?sharing=true
Restart Required: Yes
Instructions:
1. Download the firmware update from IDEMIA's support portal. 2. Follow vendor-specific upgrade procedures for each device model. 3. Reboot devices after firmware installation. 4. Verify the new firmware version is active.
🔧 Temporary Workarounds
Network Segmentation
allIsolate biometric devices in separate VLANs with strict firewall rules to limit access to only authorized management systems.
Access Control Lists
allImplement network ACLs to restrict TCP access to the Thrift service port (typically 9090) from only trusted IP addresses.
🧯 If You Can't Patch
- Deploy intrusion prevention systems (IPS) with signatures for buffer overflow attacks targeting Thrift services
- Implement strict network monitoring and alerting for unusual traffic patterns to biometric device ports
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or serial console. Compare against patched versions listed in affected systems.Check Version:
Device-specific commands vary by model. Typically accessible via web interface at http://[device-ip]/ or serial console commands.Verify Fix Applied:
Confirm firmware version matches or exceeds patched versions. Test network connectivity to ensure Thrift service still functions normally for legitimate traffic.📡 Detection & Monitoring
Log Indicators:
- Multiple connection attempts to Thrift service port
- Device crash/restart logs
- Unusual process creation on device
Network Indicators:
- Unusual volume of TCP packets to port 9090 (default Thrift)
- Malformed packet patterns targeting biometric devices
SIEM Query:
source_ip="*" AND dest_port=9090 AND (packet_size>threshold OR protocol_anomaly=true)🔗 References
- https://biometricdevices.idemia.com/s/global-search/0696700000JJa0zAAD?sharing=true
- https://biometricdevices.idemia.com/s/global-search/0696700000JJa1nAAD?sharing=true
- https://www.idemia.com
- https://biometricdevices.idemia.com/s/global-search/0696700000JJa0zAAD?sharing=true
- https://biometricdevices.idemia.com/s/global-search/0696700000JJa1nAAD?sharing=true
- https://www.idemia.com
