CVE-2024-0454

EUVD-2024-16249
ELAN Match-on-Chip FPR solution has design fault about potential risk of valid SID leakage and enumeration with spoof sensor.
This fault leads to that Windows Hello recognition would be bypass with cloning SID to cause broken account identity.
Version which is lower than 3.0.12011.08009(Legacy)/3.3.12011.08103(ESS) would suffer this risk on DELL Inspiron platform.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6 MEDIUM
PHYSICAL
LOW
LOW
CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
ELANCNA
6 MEDIUM
PHYSICAL
LOW
LOW
CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Affected Products (NVD)
VendorProductVersion
emcelan_match-on-chip_fpr_solution_firmware
3.0.12011.08009
emcelan_match-on-chip_fpr_solution_firmware
3.3.12011.08103
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.emc.com.tw/emc/tw/vulnerability-disclosure-policy
https://github.com/advisories/GHSA-w3jx-33qh-77f8
https://www.emc.com.tw/emc/tw/vulnerability-disclosure-policy