[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Multiple unresolved vulnerabilities in Basware Banking/Maksuliikenne
From: Samuel Lavitt - CVE-2015-0942 <CVE-2015-0942 () precipice ! fi>
Date: 2015-07-28 5:00:39
Message-ID: 1438059632522.91428 () precipice ! fi
[Download RAW message or body]
English: Multiple vulnerabilities in Basware Banking/Maksuliikenne software=
that were reported already 08/2012 may still enable undetectable economic =
crimes against user organizations (companies)
Finnish: Basware Banking/Maksuliikenne -ohjelmiston haavoittuvuudet, joista=
raportoitiin jo 08/2012, saattavat edelleen mahdollistaa k=E4ytt=E4j=E4yri=
tyksiin kohdistuvia =94n=E4kym=E4tt=F6mi=E4=94 talousrikoksia
Swedish: S=E5rbarheter i Basware Banking/Maksuliikenne programvaran, vilka =
rapporterades redan 08/2012, kan fortfarande m=F6jligg=F6ra =93osynlig=94 e=
konomisk kriminalitet mot anv=E4ndarf=F6retag =
Security researcher, author: Samuel Lavitt <cve-2015-0942@precipice.fi>
Editor and translator: Ronja Addams-Moring <ronja@precipice.fi>
English Summary:
Basware Banking/Maksuliikenne, a cash/bank account management software pack=
age for enterprises from software vendor Basware, has multiple critical vul=
nerabilities, which are described in this report. These vulnerabilities wer=
e first observed and reported to Basware by security researcher and author =
of this report, Samuel Lavitt, in August 2012. These vulnerabilities, and e=
xploits to unlawfully gain economically from them in an undetectable manner=
, were demonstrated by the author to Basware and CERT-FI (part of the Natio=
nal Cyber Security Centre Finland) on 7 July 2014. The Finnish Financial Su=
pervisory Authority was also informed in July 2014. At least one vulnerabil=
ity has been partially fixed since.
Despite that fix it is still, to the best of the author=92s knowledge, poss=
ible to:
- Duplicate a user organization=92s digital banking security keys, which=
are used to authenticate the banking transactions.
- Modify all the records in the user organization=92s Basware Banking so=
ftware, including transaction records as well as pending transactions.
- Bypass all permission restrictions (access controls) in the user organ=
ization=92s client software.
These risks affect at least 1,500 user organizations (companies) in the Nor=
dic and Baltic countries, mainly in Finland and Sweden. Protecting against =
these risks may require a complete reset of all affected digital banking ke=
ys, in addition to security fixes to the software, or discontinuing the use=
of the vulnerable software. To implement these changes and prevent possibl=
e fraud due to the vulnerabilities that allow the copying of banking keys, =
each user organization may require the assistance of banks where they have =
granted the Basware Banking/Maksuliikenne software access to their bank acc=
ounts. Depending on how processes are defined and technical controls implem=
ented in each bank, making the required changes may or may not also have an=
impact on other bank customers who do not use the Basware Banking/Maksulii=
kenne software.
Yhteenveto suomeksi:
Basware Banking/Maksuliikenne, yritysten rahan ja pankkitilien hallintaan t=
arkoitettu ohjelmistopaketti ohjelmistotoimittaja Baswarelta, sis=E4lt=E4=
=E4 useita kriittisi=E4 haavoittuvuuksia, jotka on kuvattu t=E4ss=E4 raport=
issa. T=E4m=E4n raportin kirjoittaja, turvallisuusasiantuntija Samuel Lavit=
t havaitsi n=E4m=E4 haavoittuvuudet ensimm=E4isen kerran ja ilmoitti niist=
=E4 Baswarelle elokuussa 2012. N=E4m=E4 haavoittuvuudet sek=E4 sen, miten n=
iit=E4 hy=F6dynt=E4m=E4ll=E4 on mahdollista saada oikeudetonta taloudellist=
a etua ilman, ett=E4 sit=E4 voidaan havaita, kirjoittaja osoitti Baswaren j=
a CERT-FI:n (osa Viestint=E4viraston Kyberturvallisuuskeskusta) edustajille=
demonstraatiossa 7. hein=E4kuuta 2014. My=F6s Finanssivalvonnalle ilmoitet=
tiin asiasta hein=E4kuussa 2014. Ainakin yksi haavoittuvuuksista on sittemm=
in osittain korjattu.
Raportin kirjoittajan parhaan tiedon mukaan korjauksesta huolimatta on edel=
leen mahdollista:
- Monistaa k=E4ytt=E4j=E4organisaation pankkitoimintaa turvaavia digitaa=
lisia avaimia, joita k=E4ytet=E4=E4n pankkitapahtumien todentamiseen.
- Muokata kaikkia k=E4ytt=E4j=E4organisaation Basware Maksuliikenne -ohj=
elmiston sis=E4lt=E4mi=E4 tietoja, kuten tilitietoja sek=E4 jonossa olevia =
(ajastettuja) pankkitapahtumia.
- Ohittaa kaikki k=E4ytt=F6oikeusrajoitukset (p=E4=E4synvalvonta) k=E4yt=
t=E4j=E4organisaation asiakasohjelmassa.
N=E4m=E4 riskit vaikuttavat ainakin 1500 k=E4ytt=E4j=E4organisaatioon (yrit=
ykseen) Pohjoismaissa ja Baltian maissa, p=E4=E4asiassa Suomessa ja Ruotsis=
sa. N=E4ilt=E4 riskeilt=E4 suojautuminen saattaa edellytt=E4=E4 kaikkien ha=
avoittuvuuden vaikutuspiiriss=E4 olevien digitaalisten pankkiavainten uusim=
ista, sen lis=E4ksi ett=E4 ohjelmiston turva-aukot on korjattava tai on lop=
etettava haavoittuvan ohjelmiston k=E4ytt=F6. Jotta n=E4m=E4 muutokset void=
aan toteuttaa ja mahdolliset petokset haavoittuvuuden kautta kopioitujen pa=
nkkiavainten avulla est=E4=E4, kukin k=E4ytt=E4j=E4organisaatio saattaa tar=
vita apua kaikilta niilt=E4 pankeilta, joissa se on antanut Basware Maksuli=
ikenne -ohjelmistolle oikeudet k=E4sitell=E4 pankkitilej=E4=E4n. Riippuen s=
iit=E4, miten kussakin pankissa prosessit on m=E4=E4ritelty ja turvaratkais=
ut toteutettu, tarvittavien muutosten tekeminen saattaa vaikuttaa tai olla =
vaikuttamatta my=F6s muihin pankkiasiakkaisiin, jotka eiv=E4t k=E4yt=E4 Bas=
ware Maksuliikenne -ohjelmistoa.
Sammanfattning p=E5 svenska:
Basware Banking/Maksuliikenne, ett programvarupaket f=F6r f=F6retag f=F6r p=
enning- och bankkontohantering, utgivet av mjukvaruleverant=F6ren Basware, =
har flera kritiska s=E5rbarheter som beskrivs i denna rapport. Dessa s=E5rb=
arheter observerades och rapporterades till Basware av f=F6rfattaren till d=
enna rapport, Samuel Lavitt, f=F6r f=F6rsta g=E5ngen i augusti 2012. Dessa =
s=E5rbarheter, och hur man med hj=E4lp av dem kan f=E5 obeh=F6rig ekonomisk=
vinning p=E5 ett s=E4tt som inte g=E5r att sp=E5ra, demonstrerades av f=F6=
rfattaren f=F6r Basware och CERT-FI (en del av Kommunikationsverkets Cybers=
=E4kerhetscenter i Finland) den 7e juli 2014. =C4ven Finansinspektionen i F=
inland informerades i juli 2014. =C5tminstone en av s=E5rbarheterna har del=
vis korrigerats sedan dess.
Trots korrigeringen =E4r det, enligt f=F6rfattarens b=E4sta f=F6rst=E5else =
m=F6jligt att:
- Duplicera en anv=E4ndarorganisations digitala banks=E4kerhetsnycklar, =
som anv=E4nds f=F6r att autentisera banktransaktioner.
- =C4ndra all information i anv=E4ndarorganisationens Basware Banking pr=
ogramvara, inklusive transaktionshistorik samt de transaktioner som v=E4nta=
r i k=F6.
- Ta bort alla beh=F6righetsbegr=E4nsningar (=E5tkomstkontroll) i anv=E4=
ndarorganisationens klientprogramvara.
Dessa risker p=E5verkar minst 1500 anv=E4ndarorganisationer (f=F6retag) i d=
e nordiska och baltiska l=E4nderna, fr=E4mst i Finland och Sverige. F=F6r a=
tt skydda sig mot dessa risker, kan det vara n=F6dv=E4ndigt att helt f=F6rn=
ya de ber=F6rda digitala banks=E4kerhetsnycklarna, f=F6rutom att ocks=E5 ko=
rrigera s=E5rbarheterna i programvaran, eller sluta anv=E4nda den s=E5rbara=
programvaran. En anv=E4ndarorganisation kan beh=F6va hj=E4lp av de banker,=
d=E4r de har givit Basware Banking programvaran r=E4tt att anv=E4nda sina =
bankonton, f=F6r att =E5stadkomma dessa f=F6r=E4ndringar och f=F6rhindra m=
=F6jligt bedr=E4geri genom de s=E5rbarheter som till=E5ter att banks=E4kerh=
etsnycklarna kopieras. Beroende p=E5 hur processerna =E4r definierade och d=
en tekniska s=E4kerheten =E4r f=F6rverkligad i en bank, kan f=F6rverkligand=
e av de n=F6dv=E4ndiga f=F6r=E4ndringarna antingen p=E5verka eller inte p=
=E5verka =E4ven andra bankkunder som inte anv=E4nder Basware Banking progra=
mvaran.
Full report, English only
Description of the affected software:
The Basware Banking/Maksuliikenne software (henceforth =93the software=94) =
is a cash/bank account management software package for enterprises from sof=
tware vendor Basware (henceforth =93the vendor=94). According to the best =
information the author of this report has, it is used by between 1,500 and =
2,000 customer organizations, primarily companies throughout the Nordic and=
Baltic regions. The software operates as a thick client/server package, w=
ith both clients and servers running on the Windows platform. The server c=
omponent is primarily an IBM Solid database server. It is possible to have=
the client and server components installed and operating on the same syste=
m. In that case, if the system has a properly configured firewall preventin=
g unauthorized access, the CVE-2015-0943 vulnerability described below can =
be effectively mitigated.
Description of the vulnerabilities:
In August 2012 and June=97July 2014, multiple vulnerabilities were found in=
the software by the author and reported to the vendor. Because the vendor=
was unable to reproduce the issues described or to confirm the presence of=
any vulnerability, a demonstration was given to the vendor as well as to C=
ERT-FI in July 2014. The author was later informed by CERT-FI that the ven=
dor stated all but one of these security issues had been fixed and that the=
fixes had been made available to affected customers. However, the author h=
as not been provided with updated software to verify the resolutions himsel=
f. This report is based on the author=92s best knowledge on 27 July 2015. =
Affected version ranges and fixed version information are incomplete. Two =
CVE numbers were provided to the author by CERT-FI for the vulnerabilities:=
one for the issue that was still considered unresolved, and one for all is=
sues that the vendor stated were resolved.
CVE-2015-0942
CVSSv2 score: 10.0 =96 Critical
CVSS v2 Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)
The issues in CVE-2015-0942 are issues that the vendor has informed the aut=
hor to be resolved, with fixes available to customers, but the latest updat=
e provided by the vendor to the author does not appear to adequately resolv=
e them. Affected versions are at minimum 8.40.1.0 to 8.90.07.X (The latest =
provided to the author).
Issue #1: Hard-coded account used for account management
All instances of the software use the same hard-coded account with an ident=
ical password for account management. This account, with the name "ANCO", =
is not only identical for all installations, but is also used for security-=
sensitive tasks. This account has sufficient permissions to perform accoun=
t management tasks on other accounts, such as locking or unlocking other us=
er accounts, as well as updating the audit trails for other accounts.
As of version 8.90.07.X, a static account for account management tasks is s=
till present. However, the account no longer has full database permissions.=
The account name (and possibly password) is also different for each insta=
llation of the software, but can be found using information that can be acc=
essed using an additional hard-coded account that was added to the server, =
which uses the same username and password for all installations.
Issue #2: Use of client-side access control/auditing only
The software performs login verification, audit trail creation, and even ac=
count locking via client-side functions. By simply dropping network traffi=
c related to these functions, it is possible to disrupt security-critical f=
unctions, such as audit-trail creation for failed login attempts and accoun=
t locking to prevent brute force attacks. As of version 8.90.07.X an attack=
er can even prevent the client from locking an account to prevent brute for=
cing by ending the software=92s process via the Windows Task Manager; the a=
ccount is only locked after acknowledging the notification.
In addition, the author discovered that as of version 8.90.07.X, possibly a=
s part of the changes to prevent abuse of the account for account managemen=
t described in issue #1 above, accounts are no longer locked/disabled at al=
l in the server. Instead, the account name is added to a table of locked a=
ccounts, and after a successful login as a user, a check of that table is m=
ade to see if the account is considered =93locked=94. If the account is in=
the locked account table, the client software prompts that the user accoun=
t is locked and logs the user out. This is purely a client-side check and =
the users actually have full permissions to modify the contents of that tab=
le, which allows any user to delete their own account lock.
Issue #3: Unprotected storage of private keys used for banking transactions
The private keys that are used by the software to communicate with the cust=
omer organization's bank are available to users of the software in plain te=
xt (or trivially protected in later versions) in the SQL database. As of v=
ersion 8.90.07.X these keys are available to all users of the software, ev=
en if the access control policies provided to the system administrators are=
specifically set to restrict access from the users. The usage of these ke=
ys allows an attacker to completely bypass the control mechanisms in place =
and impersonate the software or a valid authorized account holder to variou=
s online banking systems directly, enabling authentication of fraudulent re=
quests.
Issue CVE-2015-0943
CVSSv2 Score: 8.3 =96 High
CVSS v2 Vector (AV:A/AC:L/Au:N/C:C/I:C/A:C)
The vendor has informed the author and customers in an email sent 13 Octobe=
r 2014 to all customers that this issue will be resolved in 2015 using nati=
ve Solid DB encryption. Affected versions are at minimum 8.40.1.0 to 8.90.0=
7.X.
Issue #4: Use of plain text for all SQL server communications
The communications between the thick client and the backend (SQL) server ar=
e done in plain text and without tamper protection. Any hostile actor who =
is able to perform a man-in-the-middle attack on the communications can man=
ipulate all information sent between the SQL server and the client. A man-i=
n-the-middle attack would allow complete modification of all banking/paymen=
t information, access to bank account encryption keys, modification of all =
payment records, etc. Even if an attacker is not able to perform a man-in-=
the-middle attack on the communications, access to packet captures can stil=
l reveal sensitive banking information, user credentials for the banking sy=
stem, and possibly also encryption keys, which might allow direct impersona=
tion of authorized users to the banks. There is also no replay protection,=
so an attacker who has a copy of the messages sent from the client to the =
server during user login can reuse those same messages to gain full access =
to the banking server.
This issue was partially confirmed by the vendor in an announcement sent to=
their customers in October 2014, with an offer of a work-around using 3rd-=
party solutions provided by contacting vendor support.
Suggestions for organizations using the software:
Disclaimer: The suggestions below may assist your risk management or inform=
ation security department in determining appropriate actions for your organ=
ization based on your environment and security posture. These suggestions =
are in no way meant to be instructions or to provide protection against or =
detection of abuse. Any response should be tailored to your organization b=
y competent internal or external experts who understand the software vulner=
abilities as well as your organization's policies, procedures, and operatio=
nal environment.
- Contact Basware and ensure that you are running the latest version of =
the Banking software. Follow any recommendations applicable provided by Ba=
sware to reduce your security risks.
- Have the software evaluated in your environment by a skilled security =
engineer or penetration tester to validate that these security vulnerabilit=
ies have been resolved.
- Move the Banking server to a location where it is only accessible from=
trusted networks.
- Remove unneeded user accounts or accounts belonging to untrusted users=
from the Banking software.
- Consider transferring money out of accounts managed by the Banking sof=
tware to reduce the amount of financial damage in case of a breach, and kee=
ping minimal operating expenses in the at-risk accounts.
- Perform internal audit of bank account balances and transaction histor=
y, retrieving the account information directly from the bank. This is recom=
mended because the records in the Banking software can be tampered with.
- Consider blocking all network access to the Banking server and perform=
ing transactions using only clients installed on the same system as the ser=
ver.
- Investigate whether the security of your environment may have been com=
promised at any time, or whether the Banking software may have been accessi=
ble directly. If so, contact all banks that have private keys stored in th=
e software to revoke those keys as a fraud prevention measure. Securely rep=
lace those keys only after the risks have been addressed.
- Use a third-party encryption solution that provides strong encryption =
and authentication of network communications for the Banking software to pr=
otect against tampering, and ensure that only encrypted and authenticated c=
onnections to the Banking server are possible.
- Install current anti-virus and anti-malware software as well as all ve=
ndor-provided security updates on the Banking server and any computers wher=
e the Banking client is used. =
- Consider using whitelisting to control the software allowed to execute=
on the Banking server as well as on any computers where the Banking client=
is used.
- Establish procedures as part of the software acquisition process to ve=
rify vendor security claims as well as fitness for use.
Timeline
Dates are approximate and to the best of the author=92s memory, as the auth=
or was not the primary person handling communications with the vendor.
August, 2012
The author discovered plain-text unauthenticated communications and cli=
ent-side account locking bypass in a previous version (8.40.1.0) and inform=
ed vendor support personnel when they were resolving another issue with the=
software. Vendor support said that the author was incorrect, as the softwa=
re version in question was outdated, and had known security issues. The au=
thor was told by the vendor=92s support technician that the security issues=
were already resolved in an update, which would be installed by the vendor=
in the near future.
September, 2013
The software was updated to version 8.70.0.0 as part of other updates. =
The author did not verify at that time that the update resolved the securi=
ty issues that had been found.
19 June, 2014
The author encountered the software again and discovered that the same =
issues still existed. Further research was done by the author and the vendo=
r was contacted with detailed findings. The author offered to provide a dem=
o as the vendor reported that they were unable to reproduce the issues.
7 July, 2014
The author provided a demo for the vendor and CERT-FI, showing the vuln=
erabilities and working proof-of-concept exploits, which gave the ability t=
o change bank account balances and the records of banking transactions in t=
he system, as well as copying the private banking keys used for communicati=
on with the banks.
Week of 7 July, 2014
Confirmation was received from the vendor that they were able to reprod=
uce the findings now that the issue was understood. The author was informe=
d that the vendor was working towards providing a fix and would keep the au=
thor updated.
Regularly from this point on, the author checked with the party handling co=
mmunication with the vendor, but was not given any update on the issue or t=
old anything about fixes being available.
14 January, 2015
The author was informed that all security issues had been resolved by t=
he vendor. The author was asked to re-verify his findings in the software=
installation.
15 January, 2015
The author confirmed that all security issues still applied and that th=
e software installation was not updated. Further updates were requested f=
rom the vendor.
Week of 23 February, 2015
The author was informed that someone in the media had found out about t=
he security vulnerabilities and was preparing to go public. The author con=
tacted CERT-FI to organize CVE numbers and was told that progress had been =
made and CERT-FI had been told by the vendor that all but one of the vulner=
abilities were resolved. CERT-FI was asked by the author to encourage the =
vendor to respond to communication attempts and to provide the security upd=
ates for review.
4 March, 2015
The product manager for the vendor contacted the author, offering to pr=
ovide installation of security updates. This was scheduled for 11 March.
6 March, 2015
Helsingin Sanomat (HS) published an article on Basware security vulnera=
bilities. Following this, CERT-FI published their statements in Finnish an=
d in English. The author was asked by CERT-FI not to disclose any more det=
ails until the author evaluated the security fixes, in case the fixes were =
inadequate.
- The HS article =93Paha tietoturva-aukko altistaa yritykset valemaksuil=
le=94: (Finnish only, English translation of the title is =93Bad security v=
ulnerability exposes companies to fraudulent payments=94): http://www.hs.fi=
/talous/a1425539014674
- CERT-FI publication =93Vulnerabilities in Basware Banking=93 (English)=
: https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2015/haa=
voittuvuus-2015-018.html
- CERT-FI publication =93Haavoittuvuuksia Basware Maksuliikenne -ohjelmi=
stossa =93 (Finnish):
https://www.viestintavirasto.fi/kyberturvallisuus/haavoittuvuudet/2015/haav=
oittuvuus-2015-018.html
11 March, 2015
The vendor provided updates, but it became apparent to the author durin=
g this process that issues still remained unresolved. CERT-FI was contacte=
d and it was agreed that they would send a technical expert to assist with =
a review.
13 March, 2015
The author and a technical expert from CERT-FI thoroughly analyzed the =
software and determined that the findings described above were still valid.=
The author was asked to give the vendor 42 days to resolve the issues bef=
ore public disclosure.
28 July, 2015
Full disclosure.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic