Signature Bypass / Authentication Bypass In Governikus Autent SDK

Title

Signature Bypass / Authentication Bypass

Product

Governikus Autent SDK

Vulnerable Version

<=3.8.1

Fixed Version

3.8.1.2

CVE Number

-

Impact

critical

Found

31.05.2018

By

W. Ettlinger (Office Vienna) | SEC Consult Vulnerability Lab

The German government-issued identity card (nPA) allows German citizens to prove their identity not only in person, but also against online services (by using the embedded RFID chip). A critical security vulnerability in the Governikus Autent SDK enables an attacker to impersonate arbitrary users against affected web applications.

 

An additional blog post has been published on this topic as well: English | German

Zum vollständigen Advisory (Englisch).

EOF W. Ettlinger / @2018

 

 

 

Interesse an einer Zusammenarbeit mit den Experten von SEC Consult? Senden Sie uns Ihre Bewerbung. Möchten Sie Ihre eigene Cyber-Sicherheit mit den Experten von SEC Consult verbessern? Kontaktieren Sie unsere lokalen Büros.