usd-2018-0021 | SafeQ Pro SmartCard/v2
Advisory ID: usd-2018-0021
CVE number: CVE-2018-15498
Affected Product: SafeQ Pro SmartCard
Card reader: Terminal Pro SmartCardv2; MP04092 v. 3.15.0-rccc997 DEVEL
Server: YSoft SafeQ 6
Client: YSoft SafeQ client 126.96.36.199
Vulnerability Type: Replay Attack
Security Risk: Medium
Vendor URL: https://www.ysoft.com/
Vendor Status: Fixed
The communication between the card reader and the print server is vulnerable against replay attacks.
An attacker can record the network traffic between the card reader and the print server and thereby reissue a print job.
An attacker records the network traffic between card reader and print server. A valid connection request, including authentication, can later be resent to the print server by the attacker and thereby she can gain unauthorized access. Recording the network traffic can be done with the help of a packet analyzer. The attacker can place the analyzer hardware between the card reader and switch the reader is connected to. Thereafter she can, independent from any timing, resend the recorded packages to the server.
Proof of Concept
The recorded network traffic can be sent to the print server using the tool nc (netcat). In the following example, the file raw.txt contains the record of the network traffic.
root@local: cat raw.txt .SQ 3.15.0-rccc9976 SQPRH373535862E .CFG gd lang=EN quota=1 puk=2 remotejob=1 billcode=1 joblist=2 auth=1 cardoutdialog=1 printsendend=1 secure= root@local: cat raw.txt | nc [print server IP] 4096
The answer of the server was recorded using wireshark.
.SQ OK .CFG OK | joblist=Mg== auth=MQ== jobpreview=MQ==
The corresponding document will be printed again. The successful attack can be verified by the server log files.
The network traffic should be secured by standard transport security protocols. We strongly recommend the use of TLSv1.2.
- 2018-07-02 First contact request via firstname.lastname@example.org
- 2018-07-16 Second contact request via email@example.com
- 2018-07-20 YSoft replied and urged for information about the security issue
- 2018-07-20 YSoft received the information about the security issue
- 2018-08-06 YSoft requested to extend the full disclosure date to 15.09.2018
- 2018-08-09 CVE-ID was requested
- 2018-08-18 CVE Mitre replied with suggested description and CVE-ID, which was forwarded to YSoft
- 2018-09-07 vendor states to have fixed the vulnerability in version YSoft SafeQ 6 MU23
- 2018-11-19 The advisory has been published
These security vulnerabilities were found by Ca Way Le and Stefan Schmer of usd AG.
ABOUT usd SECURITY ADVISORIES
In order to protect businesses against hackers and criminals, we always have to keep our skills and knowledge up to date. Thus, security research is just as important for our work as is building up a security community to promote the exchange of knowledge. After all, more security can only be achieved if many individuals take on the task.
Our CST Academy and our usd HeroLab are essential parts of our security mission. We share the knowledge we gain in our practical work and our research through training courses and publications. In this context, the usd HeroLab publishes a series of papers on new vulnerabilities and current security issues.
Always for the sake of our mission: „more security.“
In accordance with usd AG’s Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities.
The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.