usd-2018-0021 | SafeQ Pro SmartCard/v2


Advisory ID: usd-2018-0021
CVE number: CVE-2018-15498
Affected Product: SafeQ Pro SmartCard
Affected Version:
Card reader: Terminal Pro SmartCardv2; MP04092 v. 3.15.0-rccc997 DEVEL
Server: YSoft SafeQ 6
Client: YSoft SafeQ client 6.0.13.1
Vulnerability Type: Replay Attack
Security Risk: Medium
Vendor URL: https://www.ysoft.com/
Vendor Status: Fixed

Description

The communication between the card reader and the print server is vulnerable against replay attacks.
An attacker can record the network traffic between the card reader and the print server and thereby reissue a print job.

An attacker records the network traffic between card reader and print server. A valid connection request, including authentication, can later be resent to the print server by the attacker and thereby she can gain unauthorized access. Recording the network traffic can be done with the help of a packet analyzer. The attacker can place the analyzer hardware between the card reader and switch the reader is connected to. Thereafter she can, independent from any timing, resend the recorded packages to the server.

Proof of Concept (PoC)

The recorded network traffic can be sent to the print server using the tool nc (netcat). In the following example, the file raw.txt contains the record of the network traffic.

root@local: cat raw.txt
.SQ 3.15.0-rccc9976 SQPRH373535862E
.CFG gd lang=EN quota=1 puk=2 remotejob=1 billcode=1 joblist=2 auth=1
cardoutdialog=1 printsendend=1 secure=
root@local: cat raw.txt | nc [print server IP] 4096

The answer of the server was recorded using wireshark.

.SQ OK
.CFG OK | joblist=Mg== auth=MQ== jobpreview=MQ==

The corresponding document will be printed again. The successful attack can be verified by the server log files.

Fix

The network traffic should be secured by standard transport security protocols. We strongly recommend the use of TLSv1.2.

Timeline

  • 2018-07-02 First contact request via info@ysoft.com
  • 2018-07-16 Second contact request via press@ysoft.com
  • 2018-07-20 YSoft replied and urged for information about the security issue
  • 2018-07-20 YSoft received the information about the security issue
  • 2018-08-06 YSoft requested to extend the full disclosure date to 15.09.2018
  • 2018-08-09 CVE-ID was requested
  • 2018-08-18 CVE Mitre replied with suggested description and CVE-ID, which was forwarded to YSoft
  • 2018-09-07 vendor states to have fixed the vulnerability in version YSoft SafeQ 6 MU23
  • 2018-11-19 The advisory has been published

Credits

These security vulnerabilities were found by Ca Way Le and Stefan Schmer of usd AG.