SEC Consult SA-20170630-0 :: Multiple critical vulnerabilities in OSCI-Transport library 1.2 for German e-Government

--------------ms020807090803020701080409
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

We have published an accompanying blog post to this technical advisory wi=
th
further information:
German version with less technical details as an overview:
http://blog.sec-consult.com/2017/06/e-government-in-deutschland-schwachst=
ellen.html

English version containing more detailed attack scenario descriptions:
http://blog.sec-consult.com/2017/06/german-e-government-details-vulnerabi=
lities.html


SEC Consult Vulnerability Lab Security Advisory < 20170630-0 >
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
              title: Multiple critical vulnerabilities
            product: OSCI-Transport library 1.2 for German e-Government
 vulnerable version: 1.6.1
      fixed version: 1.7.1
         CVE number: CVE-2017-10668 (Padding Oracle)
                     CVE-2017-10669 (Signature Wrapping)
                     CVE-2017-10670 (XXE)
             impact: Critical
           homepage: http://www.xoev.de
              found: 01/2017
                 by: Wolfgang Ettlinger (Office Vienna)
                     Marc Nimmerrichter (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Mo=
scow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Z=
urich

                     https://www.sec-consult.com

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Vendor description:
-------------------
"Mit der Spezifikation des Protokolls OSCI-Transport in der Version 1.2 w=
ird
ein sicheres, herstellerunabh=C3=A4ngiges und interoperables Datenaustaus=
chformat
beschrieben.

Um die Implementierung f=C3=BCr Anwender in der =C3=B6ffentlichen Verwalt=
ung sowie der
Fachverfahrenshersteller zu erleichtern, wird die OSCI 1.2 Bibliothek ang=
eboten:

Die Bibliothek implementiert OSCI-Transport in der Version 1.2 und ist da=
mit
unabh=C3=A4ngig von Fachinhalten. Sie ist Bestandteil der OSCI-Transport
Infrastruktur. Die OSCI-Transport-Bibliothek soll in Fachverfahren
(auf Verwaltungsseite) oder Clientsystemen (auf Kundenseite) implementier=
t
werden."

URL:
http://www.xoev.de/die_standards/osci_transport/osci_transport_1_2/osci_1=
_2_bibliothek-2310


Business recommendation:
------------------------
During a short security test, SEC Consult found several severe security
vulnerabilities in the OSCI 1.2 Transport library.

The OSCI 1.2 Transport library is intended to provide a secure message ex=
change
channel over an untrusted network (i.e. the Internet) for German governme=
nt
agencies for eGovernment.

However, SEC Consult found that multiple vulnerabilities allow attackers =
to
decrypt encrypted messages as well as modify signed messages. Moreover, a=

vulnerability can be used to read arbitrary files from any host that impl=
ements
the OSCI 1.2 transport protocol using this library.

SEC Consult recommends KoSIT and its partners to _immediately_ stop using=
 the
OSCI 1.2 Transport library over untrusted networks. Moreover, a forensic
investigation should be conducted on all affected systems to investigate
whether the vulnerabilities have been exploited in the past.

The library should only be used again after a thorough source code securi=
ty
review has been conducted and all vulnerabilities have been fixed. It is
quite likely that further vulnerabilities exist as there are indications =
for
potential XML injection flaws.


Vulnerability overview/description:
-----------------------------------
1) External Entity Injection (XXE) [CVE-2017-10670]
By sending manipulated XML data to any communication partner, an attacker=
 is
able to conduct an XXE attack on the receiving system. This attack allows=
 an
attacker to read arbitrary files from the file system of the victim host =
or to
conduct a denial of service attack.

2) Padding Oracle Attack [CVE-2017-10668]
The OCSI 1.2 Transport library only supports the following encryption
algorithms:
 * http://www.w3.org/2001/04/xmlenc#tripledes-cbc
 * http://www.w3.org/2001/04/xmlenc#aes128-cbc
 * http://www.w3.org/2001/04/xmlenc#aes192-cbc
 * http://www.w3.org/2001/04/xmlenc#aes256-cbc

All of these algorithms are no longer recommended by the W3C:
"Note: Use of AES GCM is strongly recommended over any CBC block encrypti=
on
algorithms as recent advances in cryptanalysis [...] have cast doubt on t=
he
ability of CBC block encryption algorithms to protect plain text when use=
d with
XML Encryption" (https://www.w3.org/TR/xmlenc-core1/)

Since the supported cipher algorithms do not provide protection against
modification (malleability) and the library reveals in an error message w=
hether
decryption failed (error code 9202), SEC Consult was able to conduct a pa=
dding
oracle attack. This attack allows an attacker to bypass transport encrypt=
ion.

3) Signature Wrapping attack [CVE-2017-10669]
By moving XML elements within the document tree, a signature wrapping att=
ack can
be conducted. This allows an attacker to modify the contents of a signed =
message
arbitrarily without invalidating the signature.

4) Definition of a Deserialization Gadget
A class in the library defines the method readObject() that is used by Ja=
va to
deserialize a stream into an object. This method uses an XML parser to ac=
hieve
this. However, the XML parser used is configured to resolve external enti=
ties.
Therefore, an attacker who can influence data that deserialized by an
application can conduct an XXE attack (see finding 1).

Please note that the OSCI-Transport library only needs to be in the
classpath of an application - the vulnerable application does not need to=

actually use the OSCI-Transport library! In order for this vulnerability =
to be
exploitable, an application needs to deserialize data that can be influen=
ced by
an attacker.


Proof of concept:
-----------------
Due to the important role of the OSCI-Transport library in German e-Gover=
nemnt
we refrain from publishing proof of concept code at this time.


Vulnerable / tested versions:
-----------------------------
The OSCI 1.2 Transport library (osci-bibliothek.jar) in version 1.6.1 was=
 found
to be vulnerable. This was the latest version at the time of discovery.


Vendor contact timeline:
------------------------
2017-01-16: Contacting CERT-Bund for coordination support with vendor and=

            German government agencies
2017-01-23: CERT-Bund informed us that vendor has been contacted; vulnera=
bility
            has been discussed; vendor wants to fix vulnerabilities as so=
on
            as possible
2017-02-10: Requesting status update from CERT-Bund
2017-02-20: Received statement from Governikus detailing their risk estim=
ation
            based on an in-depth analysis of the vulnerabilities
2017-03-06: Proposing conference call to coordinate release of the adviso=
ry
2017-03-23: Conference call with BSI, Governikus, KoSIT; Discussing risks=
 and
            mitigating factors; advisory release date set for 2017-06-30;=
 fixed
            version has already been released
2017-03-31: Sending conference call protocol all participants
2017-04-07: Sending document with a list of all known potential attack sc=
enarios
            to BSI and Governikus
2017-06-07: Sending preliminary advisory to Governikus
2017-06-21: Sending updated list of known potential attack scenarios to B=
SI and
            Governikus (XXE In-band scenario added)
2017-06-23: Coordinating advisory release with BSI
2017-06-30: Public release of the advisory


Solution:
---------
SEC Consult recommends to upgrade to the patched version of the OSCI Libr=
ary
(1.7.1) as soon as possible.


Workaround:
-----------
None available


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. I=
t
ensures the continued knowledge gain of SEC Consult in the field of netwo=
rk
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evalu=
ation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and v=
alid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consu=
lt?
Contact our local offices https://www.sec-consult.com/en/About/Contact.ht=
m
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF W. Ettlinger, M. Nimmerrichter / @2017


--------------ms020807090803020701080409
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CxgwggSvMIIDl6ADAgECAhEA4CPLFRKDU4mtYW56VGdrITANBgkqhkiG9w0BAQsFADBvMQsw
CQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4
dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTE0MTIyMjAwMDAwMFoXDTIwMDUzMDEwNDgzOFowgZsxCzAJBgNVBAYTAkdCMRswGQYD
VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAImxDdp6UxlOcFIdvFamBia3uEngludRq/HwWhNJFaO0jBtgvHpRQqd5jKQi3xdh
TpHVdiMKFNNKAn+2HQmAbqUEPdm6uxb+oYepLkNSQxZ8rzJQyKZPWukI2M+TJZx7iOgwZOak
+FaA/SokFDMXmaxE5WmLo0YGS8Iz1OlAnwawsayTQLm1CJM6nCpToxDbPSBhPFUDjtlOdiUC
ISn6o3xxdk/u4V+B6ftUgNvDezVSt4TeIj0sMC0xf1m9UjewM2ktQ+v61qXxl3dnUYzZ7ifr
vKUHOHaMpKk4/9+M9QOsSb7K93OZOg8yq5yVOhM9DkY6V3RhUL7GQD/L5OKfoiECAwEAAaOC
ARcwggETMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBSSYWuC
4aKgqk/sZ/HCo/e0gADB7DAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFs
Q0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVz
ZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQELBQADggEBABsqbqxVwTqriMXY7c1V86prYSvACRAj
mQ/FZmpvsfW0tXdeDwJhAN99Bf4Ss6SAgAD8+x1banICCkG8BbrBWNUmwurVTYT7/oKYz1gb
4yJjnFL4uwU2q31Ypd6rO2Pl2tVz7+zg+3vio//wQiOcyraNTT7kSxgDsqgt1Ni7QkuQaYUQ
26Y3NOh74AEQpZzKOsefT4g0bopl0BqKu6ncyso20fT8wmQpNa/WsadxEdIDQ7GPPprsnjJT
9HaSyoY0B7ksyuYcStiZDcGG4pCS+1pCaiMhEOllx/XVu37qjIUgAmLq0ToHLFnFmTPyOInl
tukWeh95FPZKEBom+nyK+5swggZhMIIFSaADAgECAhAriv4GJbNgG4KONRhUqx20MA0GCSqG
SIb3DQEBCwUAMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy
MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UE
AxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h
aWwgQ0EwHhcNMTcwMzAxMDAwMDAwWhcNMjAwMjI5MjM1OTU5WjCCAVcxCzAJBgNVBAYTAkFU
MQ0wCwYDVQQREwQyNzAwMRowGAYDVQQIExFOaWVkZXJvZXN0ZXJyZWljaDEVMBMGA1UEBxMM
V3IuIE5ldXN0YWR0MRkwFwYDVQQJExBLb21hcmlnYXNzZSAxNC8xMS4wLAYDVQQKEyVTRUMg
Q29uc3VsdCBVbnRlcm5laG1lbnNiZXJhdHVuZyBHbWJIMUkwRwYDVQQLE0BJc3N1ZWQgdGhy
b3VnaCBTRUMgQ29uc3VsdCBVbnRlcm5laG1lbnNiZXJhdHVuZyBHbWJIIEUtUEtJIE1hbmFn
MR8wHQYDVQQLExZDb3Jwb3JhdGUgU2VjdXJlIEVtYWlsMSYwJAYDVQQDEx1TRUMgQ29uc3Vs
dCBWdWxuZXJhYmlsaXR5IExhYjEnMCUGCSqGSIb3DQEJARYYcmVzZWFyY2hAc2VjLWNvbnN1
bHQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5+LisxDXcLwArMnTESPr
5G/6PY0xWAvPc81sZGgHbf4at31qtZn9eVMGAPx4nJShJVZsB3+0OavWSM1PvcsMgVp8ovIf
gnE05A/LZ4k38pMU+Zl0pcGx5TFQevKmCDwqV9JqLIoleIKHCeQVmZhGC7zccEYvKtvQqWsq
VJDFHPZisoIGl9YS048T8c9al1FQtIx3SDtxZhyigHI1t8kFAHloWGP8KCMIMX6g9FlTIlnQ
YFUAkQ/49KRyUDEHdRZey9hQLuvrgRKWZn1TxeTWW41IZKUQC6Lhb3LgrQzUQoR7dbdASh+3
sqiw1642dkyxChRoOptpoC1Wo5HLTELzYQIDAQABo4IB4DCCAdwwHwYDVR0jBBgwFoAUkmFr
guGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFBEBR5dneBkup36i0hf8pUVsEpMlMA4GA1Ud
DwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcD
AjBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBTArMCkGCCsGAQUFBwIBFh1odHRwczovL3Nl
Y3VyZS5jb21vZG8ubmV0L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9k
b2NhLmNvbS9DT01PRE9TSEEyNTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWls
Q0EuY3JsMIGQBggrBgEFBQcBAQSBgzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21v
ZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFp
bENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMCMGA1UdEQQc
MBqBGHJlc2VhcmNoQHNlYy1jb25zdWx0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAQ9HL1/pw
/3RSCgHwSKfAejchG11KoLrm+7xdqBC1nVgJaQeX8smjraljd1PAL4KthtNP0Tr+DNr4d4hQ
WwHz/LnB0iap44v8LTaHTDUbWYD5NsOg8sD1JMQI8Jt6vC7Im+9O/rHxmvhL18hWoK4aIK/k
QG7eOfO5UmurKh7StuhE3t4KKEQnSTUCy+kNe8ut4KZdRs+o+mpSH09ecLo99Qs/FuaZMTgh
hZWkcSC1YT1jQDIF3lRDk+/+HbQ0h34tgPi/wJlI/7moci7B2AzYWFeHWcrGnuE6kZkRWtQV
F/u1NODSMp1DU3EzHLueYNufSYLWHh+yyzNnaoP5u7oLeDGCBEEwggQ9AgEBMIGwMIGbMQsw
CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm
b3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0y
NTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECECuK/gYls2Ab
go41GFSrHbQwDQYJYIZIAWUDBAIBBQCgggJhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTE3MDYzMDEwNDM0MFowLwYJKoZIhvcNAQkEMSIEILdSKnDAAgJB
GJ6VaQe+j0chzbP7kK5POLqNEG1Goz6oMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEq
MAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwIC
AUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgcEGCSsGAQQBgjcQBDGBszCBsDCBmzELMAkG
A1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9y
ZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAriv4GJbNgG4KO
NRhUqx20MIHDBgsqhkiG9w0BCRACCzGBs6CBsDCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RP
IENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNh
dGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAriv4GJbNgG4KONRhUqx20MA0GCSqGSIb3DQEB
AQUABIIBAMTES9+kxUSEfTvpwQGimZCxB+opNyeXV+fYwBehi9BA9ehtTMK8lWn/23+xpqqt
VMTJxZdId3cRBJ5rn3mtN15vBkNMrFD6Gv7YGLGdJH/ZoKBAhbqMPUSHqRaR58CgeVbdhfb+
3wkPbJQBc9Pzkt24hBfNEgKgQgkgBDLOnawF/xWky6zJKo6ef6aVWtbssHJu0h5EJYYMYex8
/aoZ2OCw+C6oqihYL5Hbtai02V7RXPx+zf6dDMFtmaB3cxFt4YOvZco+mTOWAvPNw4AkJSxm
8JL5VPk4RkJp2gxVp2Mc/EYtMP1LCjT6SPer/hl65l0y236XLhgbZ+hDx4h8dbkAAAAAAAA=
--------------ms020807090803020701080409--