CVE-2023-31923
📋 TL;DR
This vulnerability allows authenticated attackers with 'User Operator' privileges in Suprema BioStar 2 to create new user accounts with full administrator privileges due to missing server-side validation. This affects all Suprema BioStar 2 systems before the 2022 Q4 update. Attackers can escalate privileges from limited user access to complete system control.
💻 Affected Systems
- Suprema BioStar 2
📦 What is this software?
Biostar 2 by Supremainc
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain full administrative control, can modify all user permissions, disable security features, access sensitive biometric data, and potentially pivot to other systems.
Likely Case
Privilege escalation leading to unauthorized administrative access, allowing attackers to create backdoor accounts, modify access controls, and potentially exfiltrate sensitive biometric and access data.
If Mitigated
Limited impact if proper access controls and monitoring are in place, with attackers only able to create accounts but being detected through audit logs before causing significant damage.
🎯 Exploit Status
Exploitation requires authenticated access with 'User Operator' privileges. The vulnerability is well-documented with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.9.1 (2022 Q4 update)
Vendor Advisory: https://www.supremainc.com/en/support/notice_view.asp?idx=1234&page=1&search=&searchstring=
Restart Required: Yes
Instructions:
1. Backup current configuration and database. 2. Download and install BioStar 2 v2.9.1 from Suprema support portal. 3. Apply the update package. 4. Restart the BioStar 2 service. 5. Verify all user permissions are correctly configured post-update.
🔧 Temporary Workarounds
Restrict User Operator Privileges
allTemporarily remove or restrict 'User Operator' role assignments until patching can be completed.
Navigate to BioStar 2 Admin Panel > User Management > Edit User Roles > Remove 'User Operator' from all non-essential accounts
Implement Network Segmentation
allRestrict access to BioStar 2 web interface to only authorized administrative networks.
Configure firewall rules to limit BioStar 2 web interface access to specific IP ranges
🧯 If You Can't Patch
- Implement strict monitoring of user creation events and privilege changes in audit logs
- Regularly review and audit all user accounts with administrative privileges
🔍 How to Verify
Check if Vulnerable:
Check BioStar 2 version in Admin Panel > System Information. If version is below 2.9.1, system is vulnerable.Check Version:
Check version in BioStar 2 web interface under System Information or via command line: sc query "BioStar 2 Service"Verify Fix Applied:
After updating to v2.9.1, attempt to create a user with 'User Operator' privileges and verify you cannot assign administrator permissions.📡 Detection & Monitoring
Log Indicators:
- Unusual user creation events from 'User Operator' accounts
- Privilege escalation attempts in user management logs
- Multiple administrator account creations in short timeframes
Network Indicators:
- HTTP POST requests to user creation endpoints from non-admin accounts
- Unusual authentication patterns to administrative interfaces
SIEM Query:
source="biostar_logs" AND (event_type="user_creation" AND user_role="administrator" AND source_user_role="operator")