CVE-2019-12813

An issue was discovered in Digital Persona U.are.U 4500 Fingerprint Reader v24. The key and salt used for obfuscating the fingerprint image exhibit cleartext when the fingerprint scanner device transfers a fingerprint image to the driver. An attacker who sniffs an encrypted fingerprint image can easily decrypt that image using the key and salt.

CVSS v3 5.9 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/sungjungk/fp-scanner-hacking	Exploit Third Party Advisory
https://www.youtube.com/watch?v=Grirez2xeas	Exploit Third Party Advisory
https://www.youtube.com/watch?v=wEXJDyEOatM	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:crossmatch:digital_persona_u.are.u_4500_firmware:24:*:*:*:*:*:*:*

cpe:2.3:h:crossmatch:digital_persona_u.are.u_4500:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-06-13 23:29

Updated : 2023-12-10 12:59

NVD link : CVE-2019-12813

Mitre link : CVE-2019-12813

CVE.ORG link : CVE-2019-12813

JSON object : View

Products Affected

crossmatch

digital_persona_u.are.u_4500_firmware
digital_persona_u.are.u_4500

CWE

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2019-12813", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2019-06-13T23:29:00.223", "references": [{"url": "https://github.com/sungjungk/fp-scanner-hacking", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.youtube.com/watch?v=Grirez2xeas", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.youtube.com/watch?v=wEXJDyEOatM", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Digital Persona U.are.U 4500 Fingerprint Reader v24. The key and salt used for obfuscating the fingerprint image exhibit cleartext when the fingerprint scanner device transfers a fingerprint image to the driver. An attacker who sniffs an encrypted fingerprint image can easily decrypt that image using the key and salt."}, {"lang": "es", "value": "Se ha descubierto un problema en el Digital persona U.are U 4500 Fingerprint Reader v24. La llave y salt utilizado para alterar la imagen de la huella digital muestra un texto claro cuando el dispositivo del esc\u00e1ner de huellas digitales transfiere una imagen de la huella digital al controlador. Un atacante que olfate\u00e9 una imagen de huella digital cifrada puede descifrar f\u00e1cilmente esa imagen usando la clave y la sa"}], "lastModified": "2021-07-21T11:39:23.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:crossmatch:digital_persona_u.are.u_4500_firmware:24:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4155CEFD-087C-4980-81DF-A39198503CDA"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:crossmatch:digital_persona_u.are.u_4500:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "EBCFF6B0-DAAF-4E51-972C-5D9EDC540614"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}