-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-048 Product: IDOL2 (uciIDOL) Manufacturer: UCI Software GmbH Affected Version(s): ≤ 2.12 Tested Version(s): 2.12 Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2024-06-26 Solution Date: Public Disclosure: 2024-08-19 CVE Reference: CVE-2024-45165 Authors of Advisory: Ludwig Stage and Manuel Stotz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: IDOL2 is a so-called rich client application for uciIDOL and seems to be able to provide different functionality, e.g. personnel time recording. The manufacturer describes the product as follows (see [1]): "Die uciIDOL-Produktfamilie umfasst modular einsetzbare Anwendungen für die Bereiche der Personalzeit- und Betriebsdatenerfassung sowie für die Zutrittskontrolle und Warenwirtschaft. Innerhalb dieser Hauptgruppen bieten wir Ihnen zahlreiche Funktionsbausteine, um Ihnen ein auf Ihre Bedürfnisse angepasstes System zu ermöglichen. Nach Bedarf können Sie diese durch die einzeln wählbare Module des idolWEB ergänzen. Die webbasierten Anwendungen bieten Ihnen flexibel einsetzbare Erweiterungen und zusätzliche Möglichkeiten im Umgang mit den uciIDOL-Anwendungen." Due to the use of static encryption keys (and the use of a symmetric encryption algorithm), IDOL2 is vulnerable to passive and active machine-in-the-middle (MitM) attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Data is sent encrypted between client and server. However, the key is derived from the string "(c)2007 UCI Software GmbH B.Boll" (without quotes). The key is both static and hardcoded. With access to messages, this results in message decryption and encryption by an attacker, thus enabling passive and active MitM attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-06-26: Vulnerability reported to manufacturer 2024-06-26: Queries by the manufacturer about the circumstances under which the vulnerability was discovered 2024-06-27: Answers given to manufacturer and an offer to talk 2024-06-27: Invitation to a discussion with manufacturer 2024-07-03: Rejection of the offer to a call by the manufacturer 2024-08-12: Advisories sent to the manufacturer prior to publication 2024-08-19: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for uciIDOL https://uci.de/products/index.html [2] SySS Security Advisory SYSS-2024-048 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-048.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] IDOL2 client download site https://uci.de/download/idol2-client.html [5] IDOL2 client binary download http://download.uci.de/idol2/idol2Client_2_12.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Ludwig Stage and Manuel Stotz of SySS GmbH. E-Mail: ludwig.stage@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Ludwig_Stage.asc Key Fingerprint: C2FF F40D FC78 791E EF81 20DF 4B57 48C9 53A5 EE5E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv/0Dfx4eR7vgSDfS1dIyVOl7l4FAmbG7GoACgkQS1dIyVOl 7l5+/xAArbIYUmN34B8rzQrJaE1ZOdrwYCHImXVyUQTQl8jGBZUgdwmuEo89Wr0V pQSeyFEiPhhxK9r6KWdGU26CtIUn/enJwrIYQddMRYUaf66Bl199nTK8InTUzoWU ZNGSE2T3MRrJlSftSE/zkd1FMxFXWJM/G+wdBLTuUwbVAni7jSORNhfIDJYPxFe2 F2jLhA8wi/qyfOcit0Y+lnUUOcf2bSwtuh8AYHIa+Qg4FIh92zM2eVZDw8JbSiM4 zYGky1aQ6KDAaPKjZdOYOB8Are/R+72GG+X1gz7KgsQvij8QsdjMWOpGkuVx9T6t qkcQmayWK1cDzyC/zK5NWZIFmf9A7VsvOd6TK4OzQ0cDym5jdMA7LfNDriqSob+u C+PEBBam9ftOEB/gGqEPeg6r4s4W9KLgEIijBHY/OsWmQ5ZF+vF1o5zY5xb/Y22y aSotWker/gE6tWigl9vENrJ5Gl+HrNNbn1cBYqGGVci3KmCDUAH4Dnz73/NfaM7/ BtfZdwhAr9CBMEWziqbfSKNCZF9sIWSJ8t1YJt7YdgTcJf7y8vl+Mq6fFoVrRLsZ btrKo65sVrAKGR8UiUPYvFO9t6RbSbePFcDS35Eshm3e3EBfuZ+N4sGponY1hPIG PORbE5Y3ur1BsG96ZHU+GbkVq3iqKcjwBfMfDpwzzpPvA3zGAGI= =Sl6o -----END PGP SIGNATURE-----