Germany's insecure communications protocol
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
July 3, 2017
Germany's electronic systems are wide open to various attacks and other internet security vulnerabilities because of an insecure communications protocol.
The security issues are in the OSCI-Transport Library version 1.2, for which a common implementation is in Java.
In case you didn't know, OSCI is the Online Services Computer Interface and happens to be the foundation of Germany's e-government system.
In a perfect world, it's meant to provide secure, confidential, and legally-binding transmission over untrusted networks such as the public internet.
According to the security firm SEC Consult, the library's numerous flaws allow attackers to decrypt messages, modify signed messages, and attack various hosts implementing the protocol.
The first of the security vulnerabilities is CVE-2017-10670. An attacker can read arbitrary files from the target system, or to conduct denial-of-service (DoS) on it.
Second is security bulletin CVE-2017-10668-- the library incorporates a number of deprecated encryption algorithms: triple DES, AES 129, AES 192, and AES 256, all in CBC mode.
Those are subject to what is termed in the industry as “padding oracle” attacks, if the recipient reveals whether a decrypted message has valid padding – something which the advisory says “would allow an attacker to decrypt any encrypted messages”.
“Since the supported cipher algorithms don't provide any protection against modification (malleability) and the library reveals in an error message whether decryption failed (error code 9202), SEC Consult was able to bypass the transport encryption”, the advisory asserts.
Then we have bulletin CVE-2017-10669 which consists of a signature wrapping an attack vector that allows the hacker to change the contents of a message without invalidating the signature.
Finally, there's a deserialisation security flaw that, like CVE-2017-10670, allows an external entity injection into a system.
But be on notice that there's extra caution needed for that bug. The OSCI-Transport library only needs to be in the classpath of an application. The vulnerable app doesn't need to actually utilize the OSCI-Transport library at all.
In order for that security vulnerability to be exploitable, an application needs to deserialize data that can be influenced by an attacker.
Germany's public service agencies are warned not to use OSCI-Transport systems until they've upgraded to the latest version of the library. A detailed discussion of the vulnerability is available at SEC-Consult's website.
Source: SEC Consult.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.