CVE-2023-38028
📋 TL;DR
Saho ADM100 and ADM-100FP attendance devices have insufficient authentication, allowing unauthenticated remote attackers to bypass authentication and access system information and user data. This affects organizations using these specific attendance tracking devices. Attackers cannot control the system or disrupt services, but can read sensitive information.
💻 Affected Systems
- Saho ADM100
- Saho ADM-100FP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Unauthenticated attackers access sensitive employee attendance data, personal information, and system details, potentially leading to privacy violations, corporate espionage, or credential harvesting for further attacks.
Likely Case
Attackers scan for exposed devices and extract attendance records containing employee names, IDs, timestamps, and potentially other personal data stored in the system.
If Mitigated
With proper network segmentation and access controls, impact is limited to unauthorized data viewing without system compromise or service disruption.
🎯 Exploit Status
Authentication bypass vulnerabilities are typically easy to exploit with basic HTTP requests or network scanning tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-7335-d300a-1.html
Restart Required: Yes
Instructions:
1. Contact Saho vendor for firmware updates
2. Download latest firmware from vendor portal
3. Apply firmware update following vendor instructions
4. Restart device after update
🔧 Temporary Workarounds
Network Segmentation
allIsolate attendance devices on separate VLAN with strict firewall rules
Access Control Lists
allImplement IP-based restrictions to allow only authorized management stations
🧯 If You Can't Patch
- Place devices behind VPN with multi-factor authentication for remote access
- Implement network monitoring and alerting for unauthorized access attempts to device IPs
🔍 How to Verify
Check if Vulnerable:
Attempt unauthenticated access to device web interface or API endpoints. If accessible without credentials, device is vulnerable.Check Version:
Check device web interface system information page or consult vendor documentationVerify Fix Applied:
After patching, verify authentication is required for all system information and user data access attempts.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to device management interfaces
- Multiple failed login attempts followed by successful data access without authentication
Network Indicators:
- Unusual HTTP requests to device endpoints without authentication headers
- Traffic from unexpected IP addresses to device management ports
SIEM Query:
source_ip=* AND dest_ip=<device_ip> AND (http_status=200 OR http_method=GET) AND NOT (http_user_agent contains 'authenticated' OR http_cookie contains 'session')