-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-049 Product: IDOL2 (uciIDOL) Manufacturer: UCI Software GmbH Affected Version(s): ≤ 2.12 Tested Version(s): 2.12 Vulnerability Type: Improper Authentication (CWE-287) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2024-06-26 Solution Date: Public Disclosure: 2024-08-19 CVE Reference: CVE-2024-45168 Authors of Advisory: Ludwig Stage and Manuel Stotz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: IDOL2 is a so-called rich client application for uciIDOL and seems to be able to provide different functionality, e.g. personnel time recording. The manufacturer describes the product as follows (see [1]): "Die uciIDOL-Produktfamilie umfasst modular einsetzbare Anwendungen für die Bereiche der Personalzeit- und Betriebsdatenerfassung sowie für die Zutrittskontrolle und Warenwirtschaft. Innerhalb dieser Hauptgruppen bieten wir Ihnen zahlreiche Funktionsbausteine, um Ihnen ein auf Ihre Bedürfnisse angepasstes System zu ermöglichen. Nach Bedarf können Sie diese durch die einzeln wählbare Module des idolWEB ergänzen. Die webbasierten Anwendungen bieten Ihnen flexibel einsetzbare Erweiterungen und zusätzliche Möglichkeiten im Umgang mit den uciIDOL-Anwendungen." Due to missing endpoint validation (cf. TLS certificate validation), IDOL2 is vulnerable to passive and active machine-in-the-middle (MitM) attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Data is transferred over a raw socket without any authentication mechanism. Thus, communication endpoints are not verifiable. For details on the encryption with a static key, refer to SYSS-2024-048. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): nc -lvp 2012 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-06-26: Vulnerability reported to manufacturer 2024-06-26: Queries by the manufacturer about the circumstances under which the vulnerability was discovered 2024-06-27: Answers given to manufacturer and an offer to talk 2024-06-27: Invitation to a discussion with manufacturer 2024-07-03: Rejection of the offer to a call by the manufacturer 2024-08-12: Advisories sent to the manufacturer prior to publication 2024-08-19: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for uciIDOL https://uci.de/products/index.html [2] SySS Security Advisory SYSS-2024-049 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-049.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] IDOL2 client download site https://uci.de/download/idol2-client.html [5] IDOL2 client binary download http://download.uci.de/idol2/idol2Client_2_12.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Ludwig Stage and Manuel Stotz of SySS GmbH. E-Mail: ludwig.stage@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Ludwig_Stage.asc Key Fingerprint: C2FF F40D FC78 791E EF81 20DF 4B57 48C9 53A5 EE5E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv/0Dfx4eR7vgSDfS1dIyVOl7l4FAmbG7LIACgkQS1dIyVOl 7l7cRw/9HFfmFUzqCtFRH5uMmqKglg6+FKT4Hizygc5vYYjRGgnap6psfXRcIrBL c11NlJZLV8nWkAtWKMiodoXV0qy24ZTXZn1g9nZpVhAhb/XLHEI3KIzuJZZG7ziA fYPJH9xn5a/ia3p4mTQHS9NP1To/XG1GKxWlhVidz6iVyQ7ArXvkWwU+HgEE6poE uj5vNQm9Au0IAAjeNM8rNTyBkTKF/QoXR2HP7LE959ors7rFXGWyKLrc0yvzfXfY qncO0Sv+37TMP76/PfmzuYHbTnxzaVdQw55Lx9B93YXkj6ValNbGfZXyYTnbB4HW 311so+pK0jRUxMsULgGrbdc2O2Axz2S6HJHIoZDKAutVE8hlOM8v/nNHDRC7fiO0 cidSlD4QzkUQqetTEww6lMifkMTfNCEsA7GvIJuJ/EzUQxwEe4hAkrnIQxC3qfT+ uoeiSfab2X9QHpmt0XckUYoOSLkO3Q04fqCClJCDZbTDHcim2J23dmvghNH31hwX Lxdzsn4pW2n2+uQVHKDGdNlsCeowmPTbBXbxTLC98uzxRfajD3b0UlGJcByWv8xh LjgYJ6tj5sGatm4YvsIIzyN4ZYh2IMzhrbhlmBAfRMPqy2ZWIF2IclzvGV9tb2At arqnXl2Hub10OUkhh86r2fI2uYU3Q5gmGStxsC4L9qV95gcHOmA= =pp6I -----END PGP SIGNATURE-----