Results from the bug bounty programme, update 31 March 2022
For its e-voting solution, SwissPost is running a public bug bounty program. On 31 December 2021 we made the last update.
Since then the hunters submitted 14 reports:
- 4 reports concern source-code issues. They highlighted meaningful improvements in the source code.
- 2 reports concern Log4j vulnerabilities.
- SwissPost and YwH did not accept (8) reports since they could not be reproduced or did not identify a vulnerability. Triaging reports are a standard process in bug bounty programs and took decisions together with our partner YesWeHack.
In total, SwissPost paid out since the last update €17’450.- to the bounty hunters who submitted the reports.
Source-code related issues
| YWH-ID | Title | Description | Status | CVSS-severity |
|---|---|---|---|---|
| #YWH-PGM2323-53 | Multiple unchecked length values during SafeStreamDeserialization may crash Control Components. | A lack of proper length validation during the deserialization of potentially attacker-controlled messages could lead to an out of memory error. Identified thanks to Ruben Santamarta (reversemode) | This issue has been corrected in release 0.15. | Medium |
| #YWH-PGM2323-64 | Verifier does not properly verify the signature of NodeContributions | When checking the Node Contributions resulting from the 'GenEncLongCodeShares', the verifier uses data, coming from the Control Components, that has not been yet verified in order to set up the own verification logic. Identified thanks to Ruben Santamarta (reversemode) | This issue has been corrected in release 1.1. | Medium |
| #YWH-PGM2323-65 | Generation of 'Choice Return Codes encryption' Public Key and 'Election' Public Key may be influenced by a malicious voting server. | The Setup Component does not validate that the number of public keys that have been received from the Voting Server matches the number of public keys defined in the protocol specification. This could allow the voting server to hamper the availability of the e-voting service. Identified thanks to Ruben Santamarta (reversemode) | This issue has been corrected in release 0.15. | Medium |
| #YWH-PGM2323-66 | Improper sanitization of query parameters in SanitizerDataHttpServletRequestWrapper (CWE-235) | The sanitization of query string parameter in the API Gateway can be bypassed by including the same parameter more than once, while only the last occurrence of a parameter will be checked. | We will enforce that any parameter which is passed downstream is sanitized. This issue has been corrected in release 1.0. | Medium |
Log4j vulnerabilities
Swiss Post would like to thank all the researchers who drew our attention to the weaknesses with their reports.
We published in this Issue the list of the CVE's corrected and a security analysis of the impact.
| YWH-ID | Title | Description |
|---|---|---|
| #YWH-PGM2323-56 | Vulnerable and older version of Log4j is used in the E-Voting System may leads to CVE 2021-45105 | A zero-day exploit in the popular Java logging library log4j2 was discovered that result in a Denial of Service attack by uncontrolled recursion from self-referential lookups. |
| #YWH-PGM2323-57 | Vulnerable and older version of Log4j is used in the E-Voting System may leads to CVE 2021-44832 | Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack. |
Edited by Swisspost Product