GRI

ICS Advisory: Suprema BioStar 2

News Cybersecurity English Guidance
Date: 26th Sep, 2023 Source: Cybersecurity and Infrastructure Security Agency Country: USA Original Source

Brief

Summary:

Suprema Inc.'s BioStar 2 access control system has been found to have a SQL injection vulnerability (CVE-2023-27167) with a CVSS v3 score of 6.5. The vulnerability allows attackers to execute arbitrary commands and has been publicly disclosed with a proof of concept available. The affected versions are BioStar 2 2.8.16. To mitigate this vulnerability, users are recommended to update to BioStar 2 2.9.4 and take defensive measures such as minimizing network exposure, isolating control systems, and using secure remote access methods. Additionally, organizations are advised to perform impact analysis and risk assessments, implement cybersecurity strategies, and report suspicious activity to CISA.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 6.5
  • ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
  • Vendor: Suprema Inc.
  • Equipment: BioStar 2
  • Vulnerability: SQL Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to perform a SQL injection to execute arbitrary commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Suprema BioStar 2, an access control system, are affected:

  • BioStar 2: version 2.8.16

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89

Suprema BioStar 2 v2.8.16 was discovered to contain a SQL injection vulnerability via value parameters.

CVE-2023-27167 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Multiple
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: South Korea

3.4 RESEARCHER

CISA discovered a public proof of concept (PoC) as authored by Yuriy (Vander) Tsarenko and reported it to Exploit-db.

4. MITIGATIONS

SupremaINC has released BioStar 2 2.9.4 to fix this vulnerability.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

5. UPDATE HISTORY

  • September 26, 2023: Initial Publication

Highlights content goes here...

Summary:

Executive Summary

The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory regarding a critical vulnerability in Suprema Inc.’s BioStar 2, an access control system. The vulnerability, identified as CVE-2023-27167, is a SQL injection vulnerability that allows an attacker to execute arbitrary commands. The vendor, Suprema Inc., has released a patched version, BioStar 2 2.9.4, to fix this vulnerability.

Risk Evaluation

A successful exploitation of this vulnerability could allow an attacker to perform a SQL injection and execute arbitrary commands, which could result in unauthorized access, data modification, or system compromise. This vulnerability is considered high-risk due to its potential impact on critical infrastructure sectors and the ease of exploitation.

Technical Details

The vulnerability affects BioStar 2 version 2.8.16 and was discovered by CISA, which reported it to Exploit-db. The vulnerability is caused by improper neutralization of special elements used in an SQL command, specifically in value parameters. The CVSS v3 base score is 6.5.

Affected Products

The affected product is BioStar 2, an access control system, with version 2.8.16.

Recommendations

CISA recommends taking defensive measures to minimize the risk of exploitation, including:

Minimizing network exposure for control system devices and ensuring they are not accessible from the internet
 Locating control system networks and remote devices behind firewalls and isolating them from business networks
Using more secure remote access methods, such as Virtual Private Networks (VPNs)
 Performing proper impact analysis and risk assessment prior to deploying defensive measures
Implementing recommended cybersecurity strategies for proactive defense of ICS assets

Update History

The advisory was initially published on September 26, 2023.

Mitigations

Suprema Inc. has released a patched version, BioStar 2 2.9.4, to fix this vulnerability.

References

The advisory includes references to relevant CISA products and technical information papers, including the ICS-TIP-12-146-01B technical information paper on targeted cyber intrusion detection and mitigation strategies.

CISA Recommendations*

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets and to report suspected malicious activity to CISA for tracking and correlation against other incidents.

Cybersecurity and Infrastructure Security Agency

Quick Insight
RADA.AI
RADA.AI
Hello! I'm RADA.AI - Regulatory Analysis and Decision Assistance. Your Intelligent guide for compliance and decision-making. How can i assist you today?
Suggested
Related Documents
Medical device salesperson reporting procedure guide
Date: 5th Feb, 2025 Source: Ministry of Health and Welfare (MOHW) Country: South Korea
News Healthcare & Pharma Guidance
​The EBA issues an Opinion in response to the European Commission’s proposed amendments to the EBA draft technical standards on conflicts of interests for issuers of asset-referenced tokens
Date: 5th Feb, 2025 Source: European Banking Authority (EBA) Country: European Union
News Financial services Guidance
Low risk waste positions: electrical equipment, including constituent parts and accessories
Date: 5th Feb, 2025 Source: Environment Agency (EA) Country: United Kingdom
News Environment Guidance

Form successfully submitted. One of our GRI rep will contact you shortly

Thanking You!

Click here

Enter your Email

Enter your registered username/email id.

Enter your Email

Enter your email id below to signup.

Enter your Email

Enter your email id below to signup.
Individual Plan
  • Designed for Growing Compliance Teams
$125 / month OR $1250 / year
Features
  • • Coverage for 20 jurisdictions
  • • Monitoring from 500+ regulatory authorities
  • • AI compliance summaries
  • • RaDa.ai : Single-Role
Best for: Researchers, Legal professionals, Academics
Subscribe Now
Enterprise Plan
  • Perfect for Global Enterprises
Contact for Pricing
Features
  • • Custom jurisdictional coverage
  • • Custom monitoring of regulatory authorities
  • • RaDa.ai : Customizable multi-role
  • • Custom reporting and dashboard capabilities
  • • API access for seamless integration
Best for: Law Firms, Corporations, Government Bodies
Contact Sales