CHT Security Team Discovered a Vulnerability in Well-Known Identity Authentication System

【Summary】 

CHT Security Team discovered that an identity authentication system has a command injection vulnerability, which affects domestic and foreign users, enterprises, etc.

【Risk level】 High

【Known Affected Software】 IDExpert identity authentication system  2.6.1 to  2.8.1.240620 

【Description】 

CVE-2024-10653: The system does not properly validate a parameter for specific functionality, allowing remote attackers with administrative privileges to inject and execute arbitrary OS commands on the server.

CHT Security team recommends the following measures:

After receiving the information, the developer has already release relevant updates as soon as possible. If agencies or enterprises use this system, it is recommended to contact the manufacturer as soon as possible for updates(Update to version 2.8.1.240731 or later.).

1. Users: Contact the manufacturer to install the patch as soon as possible.

2. System developers: Input parameters should be checked during program development.

3. System developers: It is recommended to introduce SSDLC (Secure Software Development Life Cycle) conduct secure program development education and training, and regularly perform security tests such as source code review and penetration test to effectively ensure product and user security.