2024: Security Advisory: Multiple MiCard PLUS card reader dropped characters.
- Jason Apel
Summary | The MiCard PLUS Ci and MiCard PLUS BLE reader developed by rf IDEAS can randomly drop characters which would result in the wrong ID card number being assigned during ID card self-registration. |
Advisory release date | Initial Release: Feb 12, 2024 Publication Update: Apr 23, 2024 |
Product | MiCard PLUS CI | MiCard PLUS BLE |
CVE | CVE-2024-1578 |
Publication Update: rf IDEAS has informed NT-ware that the issue originally discovered in the MiCard PLUS Ci reader has now been identified in the MiCard PLUS BLE reader. This advisory has been updated to list both products and the updated firmware's and remediation steps necessary for the affected products.
Summary of Vulnerability
It has been reported from the field and confirmed by NT-ware and rf IDEAS that the affected products have a firmware fault that may result in characters randomly being dropped from some ID card reads. This is a confirmed quality issue that can result in failed login attempts for end-users.
Random characters being dropped from ID card numbers compromises the uniqueness of ID cards which can therefore result in a security issue if customers are using the ‘ID card self-registration’ function.
Example:
User A has an ID card number of ‘1234’ and registers this as their ID card identity.
User B has an ID card number of ‘1244’.
User A wants to login and the third character is dropped. User A will be asked to register “124” as their ID card identity. After registration “1234” and “124” are registered ID card identities for User A.
User B wants to login and the fourth character is dropped. User B will now be logged in as User A with ID card identity “124” as this was previously registered to User A.
Severity
For the security issue explained above to happen we must have a specific set of conditions in place. Customers must be using ID card self-registration, and the ID card number complexity and character length needs to be low in comparison to the company user count.
Likelihood: Very Low
Impact: Medium
CVSS 3.1 Base Score | 5.6 |
CVSS 3.1 Vector | |
CVSS 4.0 Base Score | 5.3 |
CVSS 4.0 Vector | CVSS:4.0/AV:P/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Even with a very low likelihood the potential of logging in as another user and accessing another user's secure print jobs or scan profiles raises the impact to Medium.
Affected Versions
Product(s) | Affected versions |
MiCard PLUS Ci NT-ware release date 01-08-2023 NOTE: This is a rebrand of a card reader developed and provided by rf IDEAS to NT-ware. |
|
MiCard PLUS BLE NT-ware release date: 10-04-2023 NOTE: This is a rebrand of a card reader developed and provided by rf IDEAS to NT-ware. |
|
Fixed Versions
Product(s) | Fix versions |
MiCard PLUS Ci |
|
MiCard PLUS BLE |
|
rf IDEAS has provided this firmware upgrade to address the root cause. Testing of this firmware has been conducted by rf IDEAS and in combination with Canon and NT-ware resources. In the meantime customers falling into the specifics above, are urged to implement the below remediation steps.
What You Need to Do
If you are affected act now and implement the recommended steps below to mitigate potential risk. A root cause fix will be communicated via this advisory and managed through our global distribution channel, Canon and its associated business partners.
Mitigation
As of Feb 12, 2024
NT-ware recommends that customers immediately suspend using ID card self-registration if they are using the affected products until further notice (within this advisory).
ID card registration can be performed manually into uniFLOW or uniFLOW Online if required.
ID card numbers can be imported via multiple external sources, please consult the user manual or contact your support representative.
Due to the affected products issue explained in this advisory there could already be misread ID cards in the database of uniFLOW or uniFLOW Online. NT-ware recommends customers to review their registered ID cards.
Have you experienced users being asked to register their ID card multiple times?
Do users have multiple ID cards in uniFLOW, or uniFLOW Online registered yet only one physical ID card?
Clean up actions can be performed via configured ‘Identity Deletion Task’ within uniFLOW. Additionally, there are PowerShell and scripting options available for uniFLOW and uniFLOW Online.
(Optional) Customers could enable ‘Card + PIN’ which will introduce a second factor identification negating above mentioned issue. This however is a change to the login process and needs to be evaluated by the customer against the likelihood of the issue occurring.
As of: Feb 21, 2024
Rf IDEAS has released a new firmware for the MiCard PLUS Ci addressing the root cause of this issue. The firmware must be updated by a Canon direct or Canon business partner technician. Customers should coordinate this through your standard support channels.
As of: Apr 23, 2024
Rf IDEAS has released a new firmware for the MiCard PLUS BLE addressing the root cause of this issue. The firmware must be updated by a Canon direct or Canon business partner technician. Customers should coordinate this through your standard support channels.
Support
If you have further questions, please contact your Canon / Canon Business Partner representative.
