2024: Security Advisory: Multiple MiCard PLUS card reader dropped characters.

Summary

The MiCard PLUS Ci and MiCard PLUS BLE reader developed by rf IDEAS can randomly drop characters which would result in the wrong ID card number being assigned during ID card self-registration.

Advisory release date

Initial Release: Feb 12, 2024

Publication Update: Apr 23, 2024

Product

MiCard PLUS CI | MiCard PLUS BLE

CVE

CVE-2024-1578

Publication Update: rf IDEAS has informed NT-ware that the issue originally discovered in the MiCard PLUS Ci reader has now been identified in the MiCard PLUS BLE reader. This advisory has been updated to list both products and the updated firmware's and remediation steps necessary for the affected products.

Summary of Vulnerability

It has been reported from the field and confirmed by NT-ware and rf IDEAS that the affected products have a firmware fault that may result in characters randomly being dropped from some ID card reads. This is a confirmed quality issue that can result in failed login attempts for end-users.

Random characters being dropped from ID card numbers compromises the uniqueness of ID cards which can therefore result in a security issue if customers are using the ‘ID card self-registration’ function.

Example:

User A has an ID card number of ‘1234’ and registers this as their ID card identity.

User B has an ID card number of ‘1244’.

User A wants to login and the third character is dropped. User A will be asked to register “124” as their ID card identity. After registration “1234” and “124” are registered ID card identities for User A.

User B wants to login and the fourth character is dropped. User B will now be logged in as User A with ID card identity “124” as this was previously registered to User A.

 

Severity

For the security issue explained above to happen we must have a specific set of conditions in place. Customers must be using ID card self-registration, and the ID card number complexity and character length needs to be low in comparison to the company user count.

Likelihood: Very Low

Impact: Medium

CVSS 3.1 Base Score

5.6

CVSS 3.1 Vector

CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0 Base Score

5.3

CVSS 4.0 Vector

CVSS:4.0/AV:P/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Even with a very low likelihood the potential of logging in as another user and accessing another user's secure print jobs or scan profiles raises the impact to Medium.

 

Affected Versions

Product(s)

Affected versions

MiCard PLUS Ci

NT-ware release date 01-08-2023

NOTE: This is a rebrand of a card reader developed and provided by rf IDEAS to NT-ware.

  • NT-ware part number / Firmware

    • RDR-80031BKU-NT-20 (Model name)

    • 0.1.0.7 (Affected version number)

  • rf IDEAS base card reader

    • RDR-80031BKU

MiCard PLUS BLE

NT-ware release date: 10-04-2023

NOTE: This is a rebrand of a card reader developed and provided by rf IDEAS to NT-ware.

  • NT-ware part number / Firmware

    • RDR-30531EKU-NT-20 (Model name)

    • 0.1.0.4 (Affected version number)

  • rf IDEAS base card reader

    • RDR-30531EKU

Fixed Versions

Product(s)

Fix versions

MiCard PLUS Ci

  • NT-ware part number / Firmware

    • RDR-80031BKU-NT-20 (Model name)

    • 0.2.0.4 (Affected version number)

      • Update Available: 21-02-2024

MiCard PLUS BLE

  • NT-ware part number / Firmware

    • RDR-80031BKU-NT-20 (Model name)

    • 0.2.0.5 (Affected version number)

      • Update Available: 23-04-2024

rf IDEAS has provided this firmware upgrade to address the root cause. Testing of this firmware has been conducted by rf IDEAS and in combination with Canon and NT-ware resources. In the meantime customers falling into the specifics above, are urged to implement the below remediation steps.

 

What You Need to Do

If you are affected act now and implement the recommended steps below to mitigate potential risk. A root cause fix will be communicated via this advisory and managed through our global distribution channel, Canon and its associated business partners.

 

Mitigation

As of Feb 12, 2024

  • NT-ware recommends that customers immediately suspend using ID card self-registration if they are using the affected products until further notice (within this advisory).

    • ID card registration can be performed manually into uniFLOW or uniFLOW Online if required.

    • ID card numbers can be imported via multiple external sources, please consult the user manual or contact your support representative.

  • Due to the affected products issue explained in this advisory there could already be misread ID cards in the database of uniFLOW or uniFLOW Online. NT-ware recommends customers to review their registered ID cards.

    • Have you experienced users being asked to register their ID card multiple times?

    • Do users have multiple ID cards in uniFLOW, or uniFLOW Online registered yet only one physical ID card?

    • Clean up actions can be performed via configured ‘Identity Deletion Task’ within uniFLOW. Additionally, there are PowerShell and scripting options available for uniFLOW and uniFLOW Online.

  • (Optional) Customers could enable ‘Card + PIN’ which will introduce a second factor identification negating above mentioned issue. This however is a change to the login process and needs to be evaluated by the customer against the likelihood of the issue occurring.

As of: Feb 21, 2024

  • Rf IDEAS has released a new firmware for the MiCard PLUS Ci addressing the root cause of this issue. The firmware must be updated by a Canon direct or Canon business partner technician. Customers should coordinate this through your standard support channels.

As of: Apr 23, 2024

  • Rf IDEAS has released a new firmware for the MiCard PLUS BLE addressing the root cause of this issue. The firmware must be updated by a Canon direct or Canon business partner technician. Customers should coordinate this through your standard support channels.

Support

If you have further questions, please contact your Canon / Canon Business Partner representative.