CVE-2023-38954 – CVE-2023-38954 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2023-38954?

CVE-2023-38954 has a CVSS score of 9.8 (CRITICAL). CVE-2023-38954 is a critical SQL injection vulnerability in ZKTeco BioAccess IVS v3.3.1 that allows attackers to execute arbitrary SQL commands on the database. This affects organizations using this specific version of ZKTeco's biometric access control software for unauthorized data access or system compromise.

📋 TL;DR

CVE-2023-38954 is a critical SQL injection vulnerability in ZKTeco BioAccess IVS v3.3.1 that allows attackers to execute arbitrary SQL commands on the database. This affects organizations using this specific version of ZKTeco's biometric access control software for unauthorized data access or system compromise.

💻 Affected Systems

Products:

ZKTeco BioAccess IVS

Versions: v3.3.1

Operating Systems: Windows-based systems running the software

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the web interface component of BioAccess IVS v3.3.1

📦 What is this software?

Bioaccess Ivs by Zkteco

View all CVEs affecting Bioaccess Ivs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover, credential theft, data exfiltration, and potential lateral movement to connected systems

🟠

Likely Case

Unauthorized access to biometric data, user credentials, and access control logs leading to privilege escalation

🟢

If Mitigated

Limited impact with proper network segmentation, input validation, and database permissions

🌐 Internet-Facing: HIGH - If exposed to internet, attackers can remotely exploit without authentication

🏢 Internal Only: HIGH - Even internally, SQL injection can lead to full system compromise

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly weaponized and require minimal technical skill to exploit

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.3.2 or later

Vendor Advisory: http://zkteco.com

Restart Required: Yes

Instructions:

1. Download latest version from ZKTeco website 2. Backup current configuration 3. Install update 4. Restart system 5. Verify functionality

🔧 Temporary Workarounds

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

Network Segmentation

all

Isolate BioAccess IVS from internet and restrict internal access

🧯 If You Can't Patch

Implement strict input validation and parameterized queries
Restrict database user permissions to minimum required

🔍 How to Verify

Check if Vulnerable:

Check software version in BioAccess IVS admin interface

Check Version:

Check via web interface: Admin > System Information

Verify Fix Applied:

Confirm version is v3.3.2 or later and test SQL injection attempts are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts with SQL syntax

Network Indicators:

SQL injection patterns in HTTP requests to BioAccess IVS

SIEM Query:

source="web_logs" AND (url="*BioAccess*" AND (message="*SELECT*" OR message="*UNION*" OR message="*OR 1=1*"))

📊 Metadata

CVE ID: CVE-2023-38954

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: August 3, 2023

Last Updated: November 21, 2024

🔗 References

http://zkteco.com Not Applicable
https://claroty.com/team82/disclosure-dashboard/cve-2023-38954 Third Party Advisory
http://zkteco.com Not Applicable
https://claroty.com/team82/disclosure-dashboard/cve-2023-38954 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38954, you might also want to check these: