EUVD-2016-10817
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description
ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp() method which treats IPv6 loopback address 0:0:0:0:0:0:0:1 as 127.0.0.1 and authenticates using the IP as username with hardcoded password 123456 to access sensitive information and perform unauthorized actions.
Analysis
ZKTeco ZKBioSecurity 3.0 contains a local authentication bypass vulnerability in visLogin.jsp that allows low-privileged attackers to authenticate without valid credentials by spoofing IPv6 loopback addresses and leveraging hardcoded credentials. An authenticated local attacker can access sensitive information and perform unauthorized actions; public exploits are available (Packet Storm Security, Exploit-DB), indicating moderate real-world risk despite the 5.5 CVSS score reflecting local-only attack vector.
Technical Context
The vulnerability exists in the visLogin.jsp authentication handler of ZKTeco ZKBioSecurity (CPE: cpe:2.3:a:zkteco_inc.:zkteco_zkbiosecurity:*:*:*:*:*:*:*:*), specifically in the EnvironmentUtil.getClientIp() method. The root cause is CWE-798 (Use of Hard-Coded Credentials): the application implements a localhost-only authentication bypass using hardcoded password '123456' combined with the client IP address as username. The vulnerability exploits improper handling of IPv6 loopback notation (0:0:0:0:0:0:0:1) which should be equivalent to 127.0.0.1 but is handled inconsistently, allowing spoofing via IPv6 requests that bypass IP-based access controls. This is a classic implementation flaw where IP-based authentication combined with hardcoded credentials creates a trivial bypass path for any local user.
Affected Products
ZKTeco ZKBioSecurity version 3.0 (CPE: cpe:2.3:a:zkteco_inc.:zkteco_zkbiosecurity:*:*:*:*:*:*:*:*). The CPE wildcard indicates all 3.0.x minor/patch versions are in scope. ZKTeco Inc. is a Chinese biometric security and access control vendor; ZKBioSecurity is their enterprise identity verification platform. No vendor advisory links are present in the provided references; however, vulnerability documentation exists at ZeroScience (ZSL-2016-5367.php), CXSecurity, IBM X-Force, and VulnCheck. The lack of official ZKTeco vendor advisory suggests possible end-of-life status for this product line.
Remediation
Specific patch versions are not documented in provided references. Recommended actions: (1) Contact ZKTeco Inc. directly to determine if patches exist for version 3.0 or if upgrade to version 4.x or later is required; (2) If patching is unavailable, implement network-level mitigations: restrict local access to ZKBioSecurity systems via host-based firewall rules (ufw, iptables on Linux; Windows Firewall on Windows); (3) Disable or restrict access to visLogin.jsp endpoint if an alternative authentication method exists; (4) Monitor for exploitation attempts by logging authentication via IPv6 loopback (0:0:0:0:0:0:0:1) or username matching IP addresses; (5) Consider upgrading to a newer ZKTeco product version if available and supported; (6) If the application permits, change the hardcoded password '123456' via application configuration files (if modifiable), though this may require source code modification. Immediate action: segregate ZKBioSecurity systems from untrusted local users.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today