OTPulse
FeedAboutContact

Suprema BioStar 2

Monitor6.5ICS-CERT ICSA-23-269-01Sep 26, 2023
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

A SQL injection vulnerability in Suprema BioStar 2 (version 2.8.16 and earlier) allows an authenticated user to execute arbitrary SQL commands against the system database. CWE-89 (SQL Injection). An attacker with valid credentials could extract or modify sensitive data such as user identities, biometric templates, access logs, and authentication records.

What this means
What could happen
An attacker with login credentials could inject SQL commands into BioStar 2 to read sensitive data from the access control database, such as employee credentials, biometric data, or access logs. This could compromise physical security by exposing authentication records or enabling further system manipulation.
Who's at risk
This affects organizations using Suprema BioStar 2 for physical access control, particularly in facilities requiring multi-factor biometric authentication such as government buildings, corporate offices, data centers, and utility control rooms. Anyone managing access control systems who relies on BioStar 2 databases should treat this as a credential and data protection risk.
How it could be exploited
An attacker must first authenticate to the BioStar 2 web interface using valid credentials (obtained through phishing, credential stuffing, or default credentials if unchanged). Once logged in, the attacker submits a crafted SQL injection payload through an input field to execute arbitrary SQL queries and extract or modify database contents.
Prerequisites
  • Valid user credentials for BioStar 2 web interface access
  • Network connectivity to the BioStar 2 application port
  • Knowledge of the web interface input fields vulnerable to SQL injection
remotely exploitablelow complexityrequires valid credentialsaffects access control systems
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (1)
ProductAffected VersionsFix Status
BioStar 2: 2.8.162.8.162.9.4
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDRestrict network access to BioStar 2 admin interface using firewall rules; limit access to authorized administrative workstations only
HARDENINGEnforce strong, unique passwords for all BioStar 2 user accounts and disable any default credentials
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate BioStar 2 to version 2.9.4 or later
Long-term hardening
0/1
HARDENINGIsolate BioStar 2 system on a separate network segment from business/internet-connected networks
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/556248f6-1616-495b-b43a-f8505a8eefbc
Suprema BioStar 2 | CVSS 6.5 - OTPulse