CVE-2023-38030
📋 TL;DR
Saho ADM100 and ADM-100FP attendance devices lack authentication for critical functions, allowing unauthenticated remote attackers to execute system commands via website URLs to read sensitive device information. This affects organizations using these specific attendance tracking devices. The vulnerability enables unauthorized access to device data without any credentials.
💻 Affected Systems
- Saho ADM100
- Saho ADM-100FP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to extract all stored attendance data, modify device configurations, or use the device as an entry point into the corporate network.
Likely Case
Unauthorized access to sensitive employee attendance records, personal information, and device configuration data.
If Mitigated
Limited impact if devices are isolated on internal networks with strict firewall rules and network segmentation.
🎯 Exploit Status
Exploitation requires only web access to the device and knowledge of vulnerable URLs. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor for specific patched firmware version
Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-7337-501df-1.html
Restart Required: Yes
Instructions:
1. Contact Saho vendor for latest firmware. 2. Backup device configuration. 3. Apply firmware update via device web interface. 4. Verify authentication is required for all critical functions.
🔧 Temporary Workarounds
Network Isolation
allPlace devices on isolated VLAN with strict firewall rules blocking external access
Access Control Lists
allImplement IP-based restrictions to only allow authorized management systems to access device web interface
🧯 If You Can't Patch
- Segment devices on isolated network segments with no internet access
- Implement strict firewall rules to only allow necessary management traffic from authorized IPs
🔍 How to Verify
Check if Vulnerable:
Attempt to access device web interface critical functions without authentication. Check if system information or configuration can be accessed via URLs without login.Check Version:
Check device web interface system information page or contact vendor for firmware version verificationVerify Fix Applied:
After patching, verify that all critical functions require authentication and system commands cannot be executed via URLs without proper credentials.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to system URLs
- Multiple failed authentication attempts followed by successful system access
- Unusual access patterns to device configuration pages
Network Indicators:
- HTTP requests to device URLs containing system commands without authentication headers
- Traffic to device web interface from unauthorized IP addresses
SIEM Query:
source="device_logs" AND (url="*/system/*" OR url="*/config/*") AND auth_status="failed" OR auth_status="none"