eIDAS flaws allowed attackers to impersonate any EU citizen or business

Pierluigi Paganini October 31, 2019

European authorities have addressed two security vulnerabilities affecting the eIDAS (electronic IDentification, Authentication and trust Services) system.

European authorities have released security updates (v2.3.1) for its eIDAS (electronic IDentification, Authentication and trust Services) system that addressed two security vulnerabilities.

The electronic IDentification, Authentication and trust Servicesis an EU regulation on / a set of standards for electronic identification and trust services for electronic transactions in the European Single Market (i.e. tax payments, bank transfers, goods shipments).

The vulnerabilities could be exploited by attackers to impersonate any EU citizen or business during official transactions.

“During a short crash test SEC Consult identified a critical vulnerability in the eIDAS-Node software component that could allow an attacker to impersonate any EU citizen.” reads the advisory.

The system allows citizens, businesses and member state governments, to carry out cross-border electronic transactions that can be verified against official databases in any country.

eIDAS-Node is the software that implements the eID eIDAS Profile and it is able to communicate with other nodes of the eIDAS Network. The eIDAS-Node can either request (via an eIDAS-Node Connector) or provide (via an eIDAS-Node Proxy Service) cross-border authentication.

The vulnerabilities fixed by the European authorities affect the Node software.

The vulnerabilities have been reported by security experts at SEC Consult, the first issue is described as Certificate Faking, the second one as Missing Certificate Validation.

The experts provided the following description of the sequence of authentication in their advisory: “If an Italian citizen wants to authenticate against a German online service, first the German eIDAS-Node (eIDAS-Connector) is directed by the web application to initiate the authentication process. It sends a request to the Italian eIDAS-Node (eIDAS-Service). The Italian eIDAS-Node forwards the user to a system that is equipped to authenticate the Italian citizen using the national eID scheme. After authentication, the German eIDAS-Connector receives the citizen’s information which it forwards to the web application.

eIDAS

eIDAS leverages SAML for communication between the eIDAS-Connector and eIDAS-Service (collectively called eIDAS-Nodes).

The eIDAS-Node software fails to validate certificates used in eIDAS transactions, allowing attackers to forge the certificate of any other eIDAS entity (citizen or business).

The researchers at SEC Consult discovered a flaw that allowed an attacker to bypass the signature verification, this means that an attacker could exploit it to send a specially crafted SAML response message to an eIDAS-Connector to impersonate other profiles.

“Due to insufficient certificate verification the European Commission eIDAS-Node accepted manipulated SAML messages, allowing an attacker to bypass eIDAS authentication and assuming someone else’s identity.” reads the advisory.

The attacker has to initiate a malicious connection to an eIDAS-Node server of any member state, and supply forged certificates.

The experts also included a PoC code for the vulnerabilities in the security advisory.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – eIDAS, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment