CVE-2023-38950
📋 TL;DR
An unauthenticated path traversal vulnerability in ZKTeco BioTime's iclock API allows attackers to read arbitrary files on the system by sending specially crafted requests. This affects ZKBioTime version 8.5.5 and potentially earlier versions. Organizations using vulnerable versions of ZKBioTime for biometric time and attendance systems are at risk.
💻 Affected Systems
- ZKTeco BioTime
📦 What is this software?
Biotime by Zkteco
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive system files, configuration files containing credentials, or personal biometric data, leading to full system compromise, data theft, or credential harvesting.
Likely Case
Attackers would read configuration files to obtain credentials, then use those credentials to gain further access to the system or network.
If Mitigated
With proper network segmentation and access controls, impact would be limited to the BioTime system itself without lateral movement.
🎯 Exploit Status
Exploit code is publicly available on Packet Storm (ID: 177859), making this easily exploitable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.120240617.19506
Vendor Advisory: http://zkteco.com
Restart Required: Yes
Instructions:
1. Download ZKBioTime v9.0.120240617.19506 or later from ZKTeco. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the BioTime service or server.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the BioTime server's iclock API port (default 8080) to only trusted devices/IPs.
# Example firewall rule (Linux iptables): iptables -A INPUT -p tcp --dport 8080 -s TRUSTED_IP -j ACCEPT
# Example firewall rule (Windows): New-NetFirewallRule -DisplayName "Block BioTime API" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Block
API Authentication Enforcement
allConfigure the iclock API to require authentication if supported by your version.
# Check ZKBioTime web interface -> System Settings -> Device Management -> iclock settings
🧯 If You Can't Patch
- Isolate the BioTime server on a dedicated VLAN with strict firewall rules allowing only necessary device communication.
- Implement a web application firewall (WAF) or reverse proxy in front of BioTime to filter malicious path traversal attempts.
🔍 How to Verify
Check if Vulnerable:
Attempt to access the iclock API endpoint (typically http://[BioTime_IP]:8080/iclock/) with a path traversal payload like /iclock/../../windows/win.ini (Windows) or /iclock/../../etc/passwd (Linux). If you receive file contents, the system is vulnerable.Check Version:
Check the ZKBioTime web interface login page or admin panel for version information.Verify Fix Applied:
After patching, repeat the vulnerable check; you should receive an error or no file contents. Also verify the version is 9.0.120240617.19506 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual access to iclock API endpoints with ../ sequences in the URL
- Multiple failed attempts to access system files via the API
- Access from unexpected IP addresses to port 8080
Network Indicators:
- HTTP requests to /iclock/ with ../ patterns in the path
- Unusual outbound traffic from the BioTime server after exploitation
SIEM Query:
source="*BioTime*" AND (url="*/iclock/*../*" OR status=200 AND url CONTAINS "/iclock/")🔗 References
- http://zkteco.com
- https://claroty.com/team82/disclosure-dashboard/cve-2023-38950
- http://zkteco.com
- https://claroty.com/team82/disclosure-dashboard/cve-2023-38950
- https://sploitus.com/exploit?id=PACKETSTORM:177859
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38950
- https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf
