1. EXECUTIVE SUMMARY
- CVSS v3 6.5
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
- Vendor: Suprema Inc.
- Equipment: BioStar 2
- Vulnerability: SQL Injection
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to perform a SQL injection to execute arbitrary commands.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Suprema BioStar 2, an access control system, are affected:
- BioStar 2: version 2.8.16
3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89
Suprema BioStar 2 v2.8.16 was discovered to contain a SQL injection vulnerability via value parameters.
CVE-2023-27167 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Multiple
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: South Korea
3.4 RESEARCHER
CISA discovered a public proof of concept (PoC) as authored by Yuriy (Vander) Tsarenko and reported it to Exploit-db.
4. MITIGATIONS
SupremaINC has released BioStar 2 2.9.4 to fix this vulnerability.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
- Minimize network exposure for all control system devices and/or
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: