It's a backdoor - by mandated design.
German e-gov protocol carries ancient vulns
Germany's e-government system is open to padding oracle attacks and other vulnerabilities because of an insecure communications protocol. According to this SEC-Consult advisory, which landed on Friday, the problems are in the OSCI-Transport Library version 1.2, for which a common implementation is in Java. OSCI, the Online …
COMMENTS
-
This post has been deleted by its author
-
Monday 3rd July 2017 06:57 GMT John Smith 19
" secure, confidential, and legally-binding transmission over untrusted networks "
Given these factors perhaps a little more Teutonic thoroughness in the testing? Maybe an actual formal analysis of the protocol to find logical flaws?
But this is what really impresses.
"the OSCI-Transport library only needs to be in the classpath of an application - the vulnerable application does not need to actually use the OSCI-Transport library! "
Genius. A vuln you don't even need to use to make you vulnerable.
That said IRL. 1) This looks like an Oracle user issue. 2)How extensive is this protocols use (I'm guessing in Germany, quite a bit) 3) Who uses this version of the library? 4) Do later versions of the library carry the same bugs?
Depending on the answers this could be storm-in-a-teacup level up to almighty-clusterf**k-criminal-charges-deserved.
And yes. Being able to break the encryption of a message at will, which IIRC the German spooks are looking for, makes a mockery of "legally binding."
-
Monday 3rd July 2017 12:48 GMT iron
Re: " secure, confidential, and legally-binding transmission over untrusted networks "
1) This issue has nothing to do with Oracle the company or database, it is an attack against a crypto scheme from the "padding oracle" family of attacks.
4) Did you READ THE WHOLE ARTICLE? See below for the lines you missed:
"the problems are in the OSCI-Transport Library version 1.2"
"Germany's public agencies are warned not to use OSCI-Transport until they've upgraded to the latest version of the library."
-
Monday 3rd July 2017 19:03 GMT John Smith 19
Re: " secure, confidential, and legally-binding transmission over untrusted networks "
"This issue has nothing to do with Oracle the company or database, it is an attack against a crypto scheme"
Noted.
In which case it's much more serious that I at first thought. :-(
""the problems are in the OSCI-Transport Library version 1.2"
"Germany's public agencies are warned not to use OSCI-Transport until they've upgraded to the latest version of the library.""
3 problems with that.
This protocol has been around since 2004. No one knows if earlier versions have the same vulns
No one knows what the update process on those institutions is. If it's like the NHS some of them may still be running on library versions generations earlier.
The Updated version was released 2017-03-13, IE less than 4 months ago.
-
-
-
Monday 3rd July 2017 10:33 GMT Anonymous Coward
Why am I not surprised?
Oh well, it's "Digitalisierung" at its best again...
For those unaware of the political agenda in Germany: according to the local bigwigs (both within and outside of overnment) Germany has one big challange to face. No, not what you'd think, it's not the looming failure of the export-driven economic model, nor the impending trade war with the USA, nor - heaven forbid - issues related to uncontrolled immigration and public security. NO, the one single REAL problem that Germany has to face is, of course, a blatantly insufficient degree of "digitalization". Go figure.
So "Digitalisierung" is the light, the truth and the way to go. Which, of course, does not mean developing local know-how or strengthening the local IT-industry. (Hey, what did you think?)
In practice, "Digitalisierung" means three things, in descending order of relevance:
1. Hot air. Lots of it. Not so much the sort of hot air that is emitted by data centres - mostly just idle chatter, expensive but pointless consulting, high output of assorted blue- and whitepapers and the occasional bombastic public annoucement of ever more "digital" bullshit.
2. Stuffing the public clouds run by Alphabet, Amazon or Facebook with data. Lots of it. Germany's national railway company just announced its determination to outsource its entire IT-department to Amazon. That's right, all of it. By 2022 no train is supposed to be able to run without the support of Amazon. Data is the raw oil of the 21st century, that's why we export it to the US and Ireland like crazy, probably to avoid future data pollution issues. Isn't that clever?
3. E-government everywhere. Or at least that's the plan. In reality no "e-government" project has ever taken off. Local residents tend to avoid everything labelled as such like the plague. I wonder why this might be... It is probably time to outsurce it all to GAFA, see above.
What can you say: "doubleplusgood"
PS: FWIW, "Chaos" is of neuter gender in German.
-
-
Monday 3rd July 2017 16:23 GMT Anonymous Coward
Re: Why am I not surprised?
"I always assumed the German public sector had it together, relatively speaking"
There's a British tendency to assume that Germany's engineering thoroughness extends to all other aspects of German activity. Working for a German company, I can assure you that's not the case. German bureaucrats are as inept and self interested as anybody else's. German commercial business processes are generally as chaotic and ill-structured as those of any British company - German companies do tend to document the mess far better, but that then solidifies it and prevents local workarounds, as any user of SAP will know. German corporate strategy is impressively bad - in my own field there's a roll of dishonour of failed M&A that covers much of corporate Germany.
Note this isn't saying Germany is worse, simply that very large tracts of German life and economy are very similar to the things we bemoan in the UK.
-
-
-
-
Monday 3rd July 2017 13:46 GMT Anonymous Coward
Re: how does Germany keep getting into these messes? It's an enigma
I guess we are adhering to "international" - or at least: "European" - standards wrt industrial policy, procurement procedures, lawmaking & stuff XD
Ok, maybe we sometimes do adhere more closely and thoroughly to said standards than is standard procedure elsewhere...
-