Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Germany's insecure communications protocol

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

July 3, 2017

Germany's electronic systems are wide open to various attacks and other internet security vulnerabilities because of an insecure communications protocol.

The security issues are in the OSCI-Transport Library version 1.2, for which a common implementation is in Java.

In case you didn't know, OSCI is the Online Services Computer Interface and happens to be the foundation of Germany's e-government system.

In a perfect world, it's meant to provide secure, confidential, and legally-binding transmission over untrusted networks such as the public internet.

According to the security firm SEC Consult, the library's numerous flaws allow attackers to decrypt messages, modify signed messages, and attack various hosts implementing the protocol.

The first of the security vulnerabilities is CVE-2017-10670. An attacker can read arbitrary files from the target system, or to conduct denial-of-service (DoS) on it.

Second is security bulletin CVE-2017-10668-- the library incorporates a number of deprecated encryption algorithms: triple DES, AES 129, AES 192, and AES 256, all in CBC mode.

Those are subject to what is termed in the industry as “padding oracle” attacks, if the recipient reveals whether a decrypted message has valid padding – something which the advisory says “would allow an attacker to decrypt any encrypted messages”.

“Since the supported cipher algorithms don't provide any protection against modification (malleability) and the library reveals in an error message whether decryption failed (error code 9202), SEC Consult was able to bypass the transport encryption”, the advisory asserts.

Then we have bulletin CVE-2017-10669 which consists of a signature wrapping an attack vector that allows the hacker to change the contents of a message without invalidating the signature.

Finally, there's a deserialisation security flaw that, like CVE-2017-10670, allows an external entity injection into a system.

But be on notice that there's extra caution needed for that bug. The OSCI-Transport library only needs to be in the classpath of an application. The vulnerable app doesn't need to actually utilize the OSCI-Transport library at all.

In order for that security vulnerability to be exploitable, an application needs to deserialize data that can be influenced by an attacker.

Germany's public service agencies are warned not to use OSCI-Transport systems until they've upgraded to the latest version of the library. A detailed discussion of the vulnerability is available at SEC-Consult's website.

Source: SEC Consult.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer