IT-Sicherheit beim elektronischen Gesundheitsdossier im Fürstentum Liechtenstein

Am 1. Januar 2022 trat im Fürstentum Liechtenstein das Gesetz zum elektronischen Gesundheitsdossier (EGDG) in Kraft. Das elektronische Gesundheitsdossier (eGD) wird für alle 39'000 Bürger eingeführt, welche nicht Widerspruch einlegen und diesem Widerspruch eine Passkopie beilegen. Wir haben uns das genauer angeschaut.

Eine journalistische Aufbereitung unserer Befunde gibt es beim Liechtensteiner Vaterland (Paywall).

Weiterlesen…

Multiple vulnerabilities in Aten PE8108 power distribution unit

Pentagrid identified several vulnerabilities in the PE8108 rack power distribution unit (PDU) manufactured by Aten. The PE8108 is an outlet-metered and switched rack-mountable PDU, which means it supports measuring power of connected devices on a per-outlet basis and allows switching individual outlets on and off. The PDU can be controlled, for example, via HTTP/HTTPS and Telnet. Therefore, the PDU provides authentication and supports multiple users with the option to restrict a user's access to certain outlets. During a review, Pentagrid found authorization checks to be broken in several places, which might lead to a compromise of the appliance. Since the main purpose of the PDU is to distribute power to data center components, the main threat is that attackers switch off parts of the infrastructure.

Weiterlesen…

Credit card statement disclosure vulnerability in Viseca's eXpense portal

As a security company we try to use services that are solid, trustworthy and secure and therefore we do our due diligence if we find the time for it. Checking products for IT security issues in a non-intrusive way is a part of that. You can call it supply chain security if you like.

To avoid scanning credit card paper statements sent by snail mail every month, Pentagrid was looking for an option to receive them electronically. For our bank though, the only option was to sign up for Viseca's eXpense platform, which allows access to business credit card statements in PDF format. However, uppon login into the portal for the first time, our experienced analyst's gut feeling told us something is not right. For example, the second-factor authentication when doing a login on the eXpense platform was simply typing the last four digits of our telephone number. And that's definitely not state-of-the-art security.

We decided to have a quick look. Our experience in web application security analysis told us that the download function for PDF statements was a good candidate to have a look at. We've seen this kind of functionality fail in many applications before. You may guess, what happened.

Weiterlesen…

Ein Open-Source-SMS-Gateway für Pentest-Projekte

Zugänge für mobile Anwendungen sind oft an Telefonnummern gebunden. Die Arbeit mit mehreren Personen an einem Projekt kann es irgendwann erfordern, Mobiltelefonnummern für den SMS-Empfang zu teilen. Beim Testen mobiler Anwendungen, die durch eine SMS-basierte Second-Factor-Authentisierung (2FA) geschützt sind, ist die gemeinsame Nutzung von Telefonnummern durch das Testteam manchmal notwendig und sicherheitstechnisch akzeptabel, wenn es sich nur um ein Testsystem handelt. Bei Pentagrid betreiben wir daher ein kleines SMS-Gateway, das wir hiermit als Open Source veröffentlichen.

Weiterlesen…

Reflected cross-site scripting vulnerability in Crealogix EBICS implementation (CVE-2022-3442)

During a penetration test of an Electronic Banking Internet Communication Standard (EBICS) environment, Pentagrid observed a vulnerability in the EBICS banking implementation developed by CREALOGIX AG and used by many banks. EBICS is a common standard in Germany, France and Switzerland for sending payment information from customers to banks and between banks.

Weiterlesen…