Details of VAR-201405-0408

ID

VAR-201405-0408

CVE

CVE-2014-2938

TITLE

Hanvon facial recognition (Face ID) devices do not authenticate commands

Trust: 0.8

sources: CERT/CC: VU#767044

DESCRIPTION

Hanvon FaceID before 1.007.110 does not require authentication, which allows remote attackers to modify access-control and attendance-tracking data via API commands. Hanvon facial recognition (Face ID) devices possibly running software versions prior to 1.007.110 could allow an unauthenticated attacker to modify user and access control information. Hanvon Face recognition device provided by Face ID Firmware lack of certification for critical functions (CWE-306) Exists. CWE-306: Missing Authentication for Critical Function https://cwe.mitre.org/data/definitions/306.htmlThird parties may alter user information and access control information. Multiple Hanvon Face ID Products are prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. Hanvon FaceID is a face recognition system developed by Hanvon Corporation of China. The system can be used in enterprise attendance, access control and building construction, etc. There is a security vulnerability in Hanvon FaceID 1.007.109 and earlier versions, the vulnerability stems from the fact that the program does not require authentication

Trust: 2.7

sources: NVD: CVE-2014-2938 // CERT/CC: VU#767044 // JVNDB: JVNDB-2014-002557 // BID: 67525 // VULHUB: VHN-70877

AFFECTED PRODUCTS

vendor:	hanon	model:	faceid f710	scope:	eq	version:	1.007.109	Trust: 1.6
vendor:	hanon	model:	faceid	scope:	eq	version:	fa007	Trust: 1.0
vendor:	hanon	model:	faceid f810	scope:	lte	version:	1.007.109	Trust: 1.0
vendor:	hanon	model:	faceid fa007	scope:	lte	version:	1.007.109	Trust: 1.0
vendor:	hanon	model:	faceid	scope:	eq	version:	f710	Trust: 1.0
vendor:	hanon	model:	faceid	scope:	eq	version:	f810	Trust: 1.0
vendor:	hanon	model:	faceid	scope:	eq	version:	fk800	Trust: 1.0
vendor:	hanon	model:	faceid fk800	scope:	lte	version:	1.007.109	Trust: 1.0
vendor:	hanvon	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	hanvon	model:	face id	scope:	eq	version:	f710	Trust: 0.8
vendor:	hanvon	model:	face id	scope:	eq	version:	f810	Trust: 0.8
vendor:	hanvon	model:	face id	scope:	eq	version:	fa007	Trust: 0.8
vendor:	hanvon	model:	face id	scope:	eq	version:	fk800	Trust: 0.8
vendor:	hanvon	model:	face id f710	scope:	lt	version:	1.007.110 earlier	Trust: 0.8
vendor:	hanvon	model:	face id f810	scope:	lt	version:	1.007.110 earlier	Trust: 0.8
vendor:	hanvon	model:	face id fa007	scope:	lt	version:	1.007.110 earlier	Trust: 0.8
vendor:	hanvon	model:	face id fk800	scope:	lt	version:	1.007.110 earlier	Trust: 0.8
vendor:	hanon	model:	faceid fk800	scope:	eq	version:	1.007.109	Trust: 0.6
vendor:	hanon	model:	faceid f810	scope:	eq	version:	1.007.109	Trust: 0.6
vendor:	hanon	model:	faceid fa007	scope:	eq	version:	1.007.109	Trust: 0.6

sources: CERT/CC: VU#767044 // JVNDB: JVNDB-2014-002557 // CNNVD: CNNVD-201405-454 // NVD: CVE-2014-2938

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-2938
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-2938
value:	HIGH
Trust: 0.8
IPA:	JVNDB-2014-002557
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201405-454
value:	HIGH
Trust: 0.6
VULHUB:	VHN-70877
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-2938
severity:	HIGH
baseScore:	8.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:C/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	COMPLETE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	CVE-2014-2938
severity:	HIGH
baseScore:	8.3
vectorString:	NONE
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	COMPLETE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
IPA:	JVNDB-2014-002557
severity:	HIGH
baseScore:	8.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:C/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	COMPLETE
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-70877
severity:	HIGH
baseScore:	8.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:C/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	COMPLETE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#767044 // VULHUB: VHN-70877 // JVNDB: JVNDB-2014-002557 // CNNVD: CNNVD-201405-454 // NVD: CVE-2014-2938

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.9
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-70877 // JVNDB: JVNDB-2014-002557 // NVD: CVE-2014-2938

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201405-454

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201405-454

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-002557

EXPLOIT AVAILABILITY

sources: CERT/CC: VU#767044

PATCH

title:

Face ID

url:

http://www.hanvon.com/en/products/FaceID/products/index.html

Trust: 0.8

sources: JVNDB: JVNDB-2014-002557

EXTERNAL IDS

db:	CERT/CC	id:	VU#767044	Trust: 3.6
db:	NVD	id:	CVE-2014-2938	Trust: 2.8
db:	JVN	id:	JVNVU95165083	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-002557	Trust: 0.8
db:	CNNVD	id:	CNNVD-201405-454	Trust: 0.7
db:	BID	id:	67525	Trust: 0.4
db:	VULHUB	id:	VHN-70877	Trust: 0.1

sources: CERT/CC: VU#767044 // VULHUB: VHN-70877 // BID: 67525 // JVNDB: JVNDB-2014-002557 // CNNVD: CNNVD-201405-454 // NVD: CVE-2014-2938

REFERENCES

url:	http://www.kb.cert.org/vuls/id/767044	Trust: 2.8
url:	http://www.hanvon.com/en/products/faceid/technology/index.html	Trust: 0.8
url:	http://www.hanvon.com/en/products/faceid/products/index.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/306.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2938	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu95165083/	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2938	Trust: 0.8
url:	http://www.hanvon.com/en/products/faceid/index.html	Trust: 0.3

sources: CERT/CC: VU#767044 // VULHUB: VHN-70877 // BID: 67525 // JVNDB: JVNDB-2014-002557 // CNNVD: CNNVD-201405-454 // NVD: CVE-2014-2938

CREDITS

Kelvin Tan Thiam Teck

Trust: 0.3

sources: BID: 67525

SOURCES

db:	CERT/CC	id:	VU#767044
db:	VULHUB	id:	VHN-70877
db:	BID	id:	67525
db:	JVNDB	id:	JVNDB-2014-002557
db:	CNNVD	id:	CNNVD-201405-454
db:	NVD	id:	CVE-2014-2938

LAST UPDATE DATE

2025-04-13T23:10:15.561000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#767044	date:	2014-05-20T00:00:00
db:	VULHUB	id:	VHN-70877	date:	2014-07-16T00:00:00
db:	BID	id:	67525	date:	2014-05-20T00:00:00
db:	JVNDB	id:	JVNDB-2014-002557	date:	2014-07-24T00:00:00
db:	CNNVD	id:	CNNVD-201405-454	date:	2014-06-03T00:00:00
db:	NVD	id:	CVE-2014-2938	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#767044	date:	2014-05-20T00:00:00
db:	VULHUB	id:	VHN-70877	date:	2014-05-22T00:00:00
db:	BID	id:	67525	date:	2014-05-20T00:00:00
db:	JVNDB	id:	JVNDB-2014-002557	date:	2014-05-21T00:00:00
db:	CNNVD	id:	CNNVD-201405-454	date:	2014-05-26T00:00:00
db:	NVD	id:	CVE-2014-2938	date:	2014-05-22T20:55:06.503