German e-government SDK patched against ID spoofing vulnerability

Alice becomes Bob

Germany has patched a key "e-government" service against possible impersonation attacks, and both private and public sector developers have been told to check their logs for evidence of exploits.

In July, SEC Consult warned the country's federal computer emergency team at CERT-Bund that software supporting the government's nPA ID card had a critical vulnerability (the ID cards themselves have not been breached).

The Governikus Autent SDK allows web developers to check users' identities against the nPA. Because of a quirk of HTTP, the system could be tricked into authenticating the wrong person, SEC Consult said.

SEC Consult's disclosure is here, and it explained the exploit process in this blog post.

Online authentication is carried out using a smartcard reader and electronic ID (eID) client software such as the government's AusweisApp 2. To authenticate a citizen, a web application (which could be a government service such as tax, or a private service such as a bank or insurer) sends a request to the eID client.

"It requests a PIN from the user, communicates with an authentication server (eID-Server or SAML-Processor), the web application and the RFID chip, and finally sends a response to the web application. This response contains the data retrieved from the ID card, eg, the name or date of birth of the citizen," the company said.

To prevent manipulation, the authentication server applies a digital signature to its response, but the SDK's authors didn't take into account a characteristic of HTTP that allowed impersonation.

HTTP allows more than one parameter to have the same name. "When the method HttpRedirectUtils.checkQueryString creates a canonical version of the query string, it parses the parameters from it and generates a new query string with the parameters placed in a specific order. The case that a parameter can occur multiple times is not considered," SEC Consult wrote.

This meant an attacker could "arbitrarily manipulate the response [from the server] without invalidating the signature".

"An attacker is therefore able to arbitrarily modify an authentic query string. By obtaining such a string (e.g. by providing a web application with nPA login and then checking the access log), he is able to authenticate as any citizen against any vulnerable web application that also trusts the issuer of the signature," the disclosure explained, as demonstrated in this video:

Youtube Video

CERT-Bund told SEC Consult the bug was patched at the end of October. ®




Biting the hand that feeds IT © 1998–2018