CVE-2023-38951
📋 TL;DR
This vulnerability in ZKTeco BioTime allows authenticated attackers to perform path traversal attacks via crafted requests to /base/sftpsetting/ endpoints. By exploiting insufficient input sanitization in the SSH Key field and path traversal in the Username field, attackers can create or overwrite arbitrary files on the server, potentially leading to remote code execution with SYSTEM privileges. Organizations using ZKTeco BioTime versions 8.5.5 through 9.x before 9.0.1 (20240617.19506) are affected.
💻 Affected Systems
- ZKTeco BioTime
📦 What is this software?
Biotime by Zkteco
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with NT AUTHORITY\SYSTEM privileges leading to complete control of the server, data exfiltration, ransomware deployment, or lateral movement within the network.
Likely Case
Arbitrary file creation/overwrite leading to web shell deployment, credential theft, or service disruption through critical file manipulation.
If Mitigated
Limited impact due to network segmentation, strict access controls, and monitoring preventing successful exploitation.
🎯 Exploit Status
Multiple public exploit scripts and detailed write-ups are available. Exploitation requires valid credentials but is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.1 (20240617.19506)
Vendor Advisory: https://www.zkteco.com/en/announcement
Restart Required: Yes
Instructions:
1. Download ZKBioTime 9.0.1 (20240617.19506) from the official ZKTeco website. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the BioTime service or server.
🔧 Temporary Workarounds
Block Vulnerable Endpoints
allTemporarily block access to /base/sftpsetting/ endpoints via web application firewall or network controls
Restrict Access to Management Interface
allLimit access to the BioTime web interface to trusted IP addresses only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate BioTime servers from critical systems
- Enforce strong authentication policies and monitor for suspicious authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check BioTime version in web interface or via installed files. Versions 8.5.5 through 9.x before 9.0.1 (20240617.19506) are vulnerable.Check Version:
Check web interface login page or application version file in installation directoryVerify Fix Applied:
Verify version is 9.0.1 (20240617.19506) or later in the web interface or application properties.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /base/sftpsetting/ endpoints
- Multiple failed authentication attempts followed by successful login
- File creation/modification in unexpected directories
Network Indicators:
- HTTP requests with path traversal sequences (../) in parameters
- Unusual outbound connections from BioTime server
SIEM Query:
source="biotime" AND (url="/base/sftpsetting/" OR (parameter CONTAINS "../" AND url="/base/sftpsetting/"))🔗 References
- https://claroty.com/team82/disclosure-dashboard/cve-2023-38951
- https://github.com/omair2084/biotime-rce-8.5.5/blob/main/biotime_enum.py
- https://krashconsulting.com/fury-of-fingers-biotime-rce/
- https://www.zkteco.com/en/ZKBio_Time/ZKBioTime#Download
- https://www.zkteco.com/en/announcement
- http://zkteco.com
- https://claroty.com/team82/disclosure-dashboard/cve-2023-38951
- https://sploitus.com/exploit?id=PACKETSTORM:177859
