English: Multiple vulnerabilities in Basware Banking/Maksuliikenne software that were reported already 08/2012 may still enable undetectable economic crimes against user organizations (companies)
Finnish: Basware Banking/Maksuliikenne -ohjelmiston haavoittuvuudet, joista raportoitiin jo 08/2012, saattavat edelleen mahdollistaa käyttäjäyrityksiin kohdistuvia ”näkymättömiä” talousrikoksia
Swedish: Sårbarheter i Basware Banking/Maksuliikenne programvaran, vilka rapporterades redan 08/2012, kan fortfarande möjliggöra “osynlig” ekonomisk kriminalitet mot användarföretag

Security researcher, author: Samuel Lavitt cve-2015-0942@precipice.fi
Editor and translator: Ronja Addams-Moring Ronja@precipice.fi


English Summary:

Basware Banking/Maksuliikenne, a cash/bank account management software package for enterprises from software vendor Basware, has multiple critical vulnerabilities, which are described in this report. These vulnerabilities were first observed and reported to Basware by security researcher and author of this report, Samuel Lavitt, in August 2012. These vulnerabilities, and exploits to unlawfully gain economically from them in an undetectable manner, were demonstrated by the author to Basware and CERT-FI (part of the National Cyber Security Centre Finland) on 7 July 2014. The Finnish Financial Supervisory Authority was also informed in July 2014. At least one vulnerability has been partially fixed since.
Despite that fix it is still, to the best of the author’s knowledge, possible to: These risks affect at least 1,500 user organizations (companies) in the Nordic and Baltic countries, mainly in Finland and Sweden. Protecting against these risks may require a complete reset of all affected digital banking keys, in addition to security fixes to the software, or discontinuing the use of the vulnerable software. To implement these changes and prevent possible fraud due to the vulnerabilities that allow the copying of banking keys, each user organization may require the assistance of banks where they have granted the Basware Banking/Maksuliikenne software access to their bank accounts. Depending on how processes are defined and technical controls implemented in each bank, making the required changes may or may not also have an impact on other bank customers who do not use the Basware Banking/Maksuliikenne software.


Yhteenveto suomeksi:

Basware Banking/Maksuliikenne, yritysten rahan ja pankkitilien hallintaan tarkoitettu ohjelmistopaketti ohjelmistotoimittaja Baswarelta, sisältää useita kriittisiä haavoittuvuuksia, jotka on kuvattu tässä raportissa. Tämän raportin kirjoittaja, turvallisuusasiantuntija Samuel Lavitt havaitsi nämä haavoittuvuudet ensimmäisen kerran ja ilmoitti niistä Baswarelle elokuussa 2012. Nämä haavoittuvuudet sekä sen, miten niitä hyödyntämällä on mahdollista saada oikeudetonta taloudellista etua ilman, että sitä voidaan havaita, kirjoittaja osoitti Baswaren ja CERT-FI:n (osa Viestintäviraston Kyberturvallisuuskeskusta) edustajille demonstraatiossa 7. heinäkuuta 2014. Myös Finanssivalvonnalle ilmoitettiin asiasta heinäkuussa 2014. Ainakin yksi haavoittuvuuksista on sittemmin osittain korjattu.
Raportin kirjoittajan parhaan tiedon mukaan korjauksesta huolimatta on edelleen mahdollista: Nämä riskit vaikuttavat ainakin 1500 käyttäjäorganisaatioon (yritykseen) Pohjoismaissa ja Baltian maissa, pääasiassa Suomessa ja Ruotsissa. Näiltä riskeiltä suojautuminen saattaa edellyttää kaikkien haavoittuvuuden vaikutuspiirissä olevien digitaalisten pankkiavainten uusimista, sen lisäksi että ohjelmiston turva-aukot on korjattava tai on lopetettava haavoittuvan ohjelmiston käyttö. Jotta nämä muutokset voidaan toteuttaa ja mahdolliset petokset haavoittuvuuden kautta kopioitujen pankkiavainten avulla estää, kukin käyttäjäorganisaatio saattaa tarvita apua kaikilta niiltä pankeilta, joissa se on antanut Basware Maksuliikenne -ohjelmistolle oikeudet käsitellä pankkitilejään. Riippuen siitä, miten kussakin pankissa prosessit on määritelty ja turvaratkaisut toteutettu, tarvittavien muutosten tekeminen saattaa vaikuttaa tai olla vaikuttamatta myös muihin pankkiasiakkaisiin, jotka eivät käytä Basware Maksuliikenne -ohjelmistoa.


Sammanfattning på svenska:

Basware Banking/Maksuliikenne, ett programvarupaket för företag för penning- och bankkontohantering, utgivet av mjukvaruleverantören Basware, har flera kritiska sårbarheter som beskrivs i denna rapport. Dessa sårbarheter observerades och rapporterades till Basware av författaren till denna rapport, Samuel Lavitt, för första gången i augusti 2012. Dessa sårbarheter, och hur man med hjälp av dem kan få obehörig ekonomisk vinning på ett sätt som inte går att spåra, demonstrerades av författaren för Basware och CERT-FI (en del av Kommunikationsverkets Cybersäkerhetscenter i Finland) den 7e juli 2014. Även Finansinspektionen i Finland informerades i juli 2014. Åtminstone en av sårbarheterna har delvis korrigerats sedan dess.
Trots korrigeringen är det, enligt författarens bästa förståelse möjligt att: Dessa risker påverkar minst 1500 användarorganisationer (företag) i de nordiska och baltiska länderna, främst i Finland och Sverige. För att skydda sig mot dessa risker, kan det vara nödvändigt att helt förnya de berörda digitala banksäkerhetsnycklarna, förutom att också korrigera sårbarheterna i programvaran, eller sluta använda den sårbara programvaran. En användarorganisation kan behöva hjälp av de banker, där de har givit Basware Banking programvaran rätt att använda sina bankonton, för att åstadkomma dessa förändringar och förhindra möjligt bedrägeri genom de sårbarheter som tillåter att banksäkerhetsnycklarna kopieras. Beroende på hur processerna är definierade och den tekniska säkerheten är förverkligad i en bank, kan förverkligande av de nödvändiga förändringarna antingen påverka eller inte påverka även andra bankkunder som inte använder Basware Banking programvaran.


Full report, English only

Description of the affected software:

The Basware Banking/Maksuliikenne software (henceforth “the software”) is a cash/bank account management software package for enterprises from software vendor Basware (henceforth “the vendor”). According to the best information the author of this report has, it is used by between 1,500 and 2,000 customer organizations, primarily companies throughout the Nordic and Baltic regions. The software operates as a thick client/server package, with both clients and servers running on the Windows platform. The server component is primarily an IBM Solid database server. It is possible to have the client and server components installed and operating on the same system. In that case, if the system has a properly configured firewall preventing unauthorized access, the CVE-2015-0943 vulnerability described below can be effectively mitigated.


Description of the vulnerabilities:

In August 2012 and June—July 2014, multiple vulnerabilities were found in the software by the author and reported to the vendor. Because the vendor was unable to reproduce the issues described or to confirm the presence of any vulnerability, a demonstration was given to the vendor as well as to CERT-FI in July 2014. The author was later informed by CERT-FI that the vendor stated all but one of these security issues had been fixed and that the fixes had been made available to affected customers. However, the author has not been provided with updated software to verify the resolutions himself. This report is based on the author’s best knowledge on 27 July 2015. Affected version ranges and fixed version information are incomplete. Two CVE numbers were provided to the author by CERT-FI for the vulnerabilities: one for the issue that was still considered unresolved, and one for all issues that the vendor stated were resolved.

CVE-2015-0942
CVSSv2 score: 10.0 – Critical
CVSS v2 Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)

The issues in CVE-2015-0942 are issues that the vendor has informed the author to be resolved, with fixes available to customers, but the latest update provided by the vendor to the author does not appear to adequately resolve them. Affected versions are at minimum 8.40.1.0 to 8.90.07.X (The latest provided to the author).

Issue #1: Hard-coded account used for account management

All instances of the software use the same hard-coded account with an identical password for account management. This account, with the name "ANCO", is not only identical for all installations, but is also used for security-sensitive tasks. This account has sufficient permissions to perform account management tasks on other accounts, such as locking or unlocking other user accounts, as well as updating the audit trails for other accounts.
As of version 8.90.07.X, a static account for account management tasks is still present. However, the account no longer has full database permissions. The account name (and possibly password) is also different for each installation of the software, but can be found using information that can be accessed using an additional hard-coded account that was added to the server, which uses the same username and password for all installations.

Issue #2: Use of client-side access control/auditing only

The software performs login verification, audit trail creation, and even account locking via client-side functions. By simply dropping network traffic related to these functions, it is possible to disrupt security-critical functions, such as audit-trail creation for failed login attempts and account locking to prevent brute force attacks. As of version 8.90.07.X an attacker can even prevent the client from locking an account to prevent brute forcing by ending the software’s process via the Windows Task Manager; the account is only locked after acknowledging the notification.
In addition, the author discovered that as of version 8.90.07.X, possibly as part of the changes to prevent abuse of the account for account management described in issue #1 above, accounts are no longer locked/disabled at all in the server. Instead, the account name is added to a table of locked accounts, and after a successful login as a user, a check of that table is made to see if the account is considered “locked”. If the account is in the locked account table, the client software prompts that the user account is locked and logs the user out. This is purely a client-side check and the users actually have full permissions to modify the contents of that table, which allows any user to delete their own account lock.

Issue #3: Unprotected storage of private keys used for banking transactions

The private keys that are used by the software to communicate with the customer organization's bank are available to users of the software in plain text (or trivially protected in later versions) in the SQL database. As of version 8.90.07.X these keys are available to all users of the software, even if the access control policies provided to the system administrators are specifically set to restrict access from the users. The usage of these keys allows an attacker to completely bypass the control mechanisms in place and impersonate the software or a valid authorized account holder to various online banking systems directly, enabling authentication of fraudulent requests.

Issue CVE-2015-0943
CVSSv2 Score: 8.3 – High
CVSS v2 Vector (AV:A/AC:L/Au:N/C:C/I:C/A:C)

The vendor has informed the author and customers in an email sent 13 October 2014 to all customers that this issue will be resolved in 2015 using native Solid DB encryption. Affected versions are at minimum 8.40.1.0 to 8.90.07.X.

Issue #4: Use of plain text for all SQL server communications

The communications between the thick client and the backend (SQL) server are done in plain text and without tamper protection. Any hostile actor who is able to perform a man-in-the-middle attack on the communications can manipulate all information sent between the SQL server and the client. A man-in-the-middle attack would allow complete modification of all banking/payment information, access to bank account encryption keys, modification of all payment records, etc. Even if an attacker is not able to perform a man-in-the-middle attack on the communications, access to packet captures can still reveal sensitive banking information, user credentials for the banking system, and possibly also encryption keys, which might allow direct impersonation of authorized users to the banks. There is also no replay protection, so an attacker who has a copy of the messages sent from the client to the server during user login can reuse those same messages to gain full access to the banking server.
This issue was partially confirmed by the vendor in an announcement sent to their customers in October 2014, with an offer of a work-around using 3rd-party solutions provided by contacting vendor support.


Suggestions for organizations using the software:

Disclaimer: The suggestions below may assist your risk management or information security department in determining appropriate actions for your organization based on your environment and security posture. These suggestions are in no way meant to be instructions or to provide protection against or detection of abuse. Any response should be tailored to your organization by competent internal or external experts who understand the software vulnerabilities as well as your organization's policies, procedures, and operational environment.


Timeline

Dates are approximate and to the best of the author’s memory, as the author was not the primary person handling communications with the vendor.