German e-gov protocol carries ancient vulns

Dies ist eine Chaos

Germany's e-government system is open to padding oracle attacks and other vulnerabilities because of an insecure communications protocol.

According to this SEC-Consult advisory, which landed on Friday, the problems are in the OSCI-Transport Library version 1.2, for which a common implementation is in Java.

OSCI, the Online Services Computer Interface, is the foundation of Germany's e-government. It's meant to provide secure, confidential, and legally-binding transmission over untrusted networks such as the Internet.

According to SEC Consult, the library's bugs allow attackers to decrypt messages, modify signed messages, and attack hosts implementing the protocol.

The first of the vulnerabilities is CVE-2017-10670: the attacker can read arbitrary files from the target system, or to conduct denial-of-service on it.

Second, assigned CVE-2017-10668: the library incorporates a number of deprecated encryption algorithms (Triple DES, AES 129, AES 192, and AES 256, all in CBC mode).

These are subject to “padding oracle” attacks, if the recipient reveals whether a decrypted message has valid padding – something which the advisory says “would allow an attacker to decrypt any encrypted messages”.

“Since the supported cipher algorithms do not provide protection against modification (malleability) and the library reveals in an error message whether decryption failed (error code 9202), SEC Consult was able to … bypass transport encryption”, the advisory continues.

CVE-2017-10669 is a signature wrapping attack that allows the miscreant to change the contents of a message without invalidating the signature; and finally there's a deserialisation bug that, like CVE-2017-10670, allows an external entity injection.

There's extra lulz to be had from this bug: “the OSCI-Transport library only needs to be in the classpath of an application - the vulnerable application does not need to actually use the OSCI-Transport library! In order for this vulnerability to be exploitable, an application needs to deserialize data that can be influenced by an attacker”.

Germany's public agencies are warned not to use OSCI-Transport until they've upgraded to the latest version of the library.

A detailed discussion of the vulnerability is at SEC-Consult here. ®

Other stories you might like

  • Red Hat Kubernetes security report finds people are the problem
    Puny human brains baffled by K8s complexity, leading to blunder fears

    Kubernetes, despite being widely regarded as an important technology by IT leaders, continues to pose problems for those deploying it. And the problem, apparently, is us.

    The open source container orchestration software, being used or evaluated by 96 per cent of organizations surveyed [PDF] last year by the Cloud Native Computing Foundation, has a reputation for complexity.

    Witness the sarcasm: "Kubernetes is so easy to use that a company devoted solely to troubleshooting issues with it has raised $67 million," quipped Corey Quinn, chief cloud economist at IT consultancy The Duckbill Group, in a Twitter post on Monday referencing investment in a startup called Komodor. And the consequences of the software's complication can be seen in the difficulties reported by those using it.

    Continue reading
  • Infosys skips government meeting - and collecting government taxes
    Tax portal wobbles, again

    Services giant Infosys has had a difficult week, with one of its flagship projects wobbling and India's government continuing to pressure it over labor practices.

    The wobbly projext is India's portal for filing Goods and Services Tax returns. According to India’s Central Board of Indirect Taxes and Customs (CBIC), the IT services giant reported a “technical glitch” that meant auto-populated forms weren't ready for taxpayers. The company was directed to fix it and CBIC was faced with extending due dates for tax payments.

    Continue reading
  • Google keeps legacy G Suite alive and free for personal use

    Google has quietly dropped its demand that users of its free G Suite legacy edition cough up to continue enjoying custom email domains and cloudy productivity tools.

    This story starts in 2006 with the launch of “Google Apps for Your Domain”, a bundle of services that included email, a calendar, Google Talk, and a website building tool. Beta users were offered the service at no cost, complete with the ability to use a custom domain if users let Google handle their MX record.

    The service evolved over the years and added more services, and in 2020 Google rebranded its online productivity offering as “Workspace”. Beta users got most of the updated offerings at no cost.

    Continue reading

Biting the hand that feeds IT © 1998–2022