Numerous critical vulnerabilities existed in the GeoVision card and fingerprint scanners. These include some critical vulnerabilities as well, one of which still awaits a fix.
GeoVision Scanner Vulnerabilities
Researchers from cybersecurity firm Acronis have discovered numerous security bugs in GeoVision devices.
Sharing the details in a post, the researchers revealed that they found four critical vulnerabilities in GeoVision fingerprint, card scanners. These include,
- CVE-2020-3928 – the adaptation of hardcoded root password risking the entire GeoVision Door Access Control device family due to the same password.
- CVE-2020-3929 – implementation of shared cryptographic private keys for HTTPS and SSH. An attacker could hence conduct MiTM attacks with derived keys whilst breaking the encryption.
- CVE-2020-3930 – improper storage and access control to system logs allowed any user to read logs.
Besides, the fourth vulnerability, for which the researchers haven’t disclosed the CVE ID yet, was a buffer overflow vulnerability. Exploiting this bug could allow an attacker to execute arbitrary codes on the target devices without requiring authentication.
Regarding the risks related to these vulnerabilities, team Acronis stated that the bugs may allow state-sponsored attacks on the traffic. Describing the impact of the bugs further, they stated,
Using these vulnerabilities, attackers could remotely open doors without the keycards, install Trojans on those devices, establish their persistence on the network, spy on internal users, and steal fingerprints and other data – all without ever being detected.
Status Of Bug Fixes
The researchers revealed that the three disclosed bugs affected the GeoVision access card scanners, fingerprint scanners, and access management appliances globally. Among these, the vulnerabilities CVE-2020-3928 and CVE-2020-3929 affected the following products.
- GV-AS210 version 2.21 and earlier
- GV-AS410 version 2.21 and earlier
- GV-AS410 version 2.21 and earlier
- GV-GF192x version 1.10 and earlier
- GV-AS1010 version 1.32 and earlier
Whereas, the vulnerability CVE-2020-3930 and the fourth bug affected the GV-GF192x version 1.10.
Upon finding these bugs, the researchers reached out to GeoVision in August 2019.
However, it took the firm all the way to June 2020 to fix three of these bugs (the ones with disclosed CVE IDs). The updated product versions include,
- GV-AS210 version 2.22
- GV-AS410 version 2.22
- GV-AS810 version 2.22
- GV-GF192x version 1.22
- GV-AS1010 version 1.33
Whereas, the fourth vulnerability, which is also the most severe of all, with a CVSS score of 10.0, still awaits a fix.
The Taiwan-based tech firm GeoVision primarily manufactures security and surveillance devices, including IP cameras, fingerprint scanners, and more.