Results from the bug bounty programme, update 31 March 2023
For its e-voting solution, SwissPost is running a public bug bounty program. On 31 December 2022 we made the last update.
Since then, the hunters submitted 22 reports:
- 2 reports concern cryptography-related issues in the cryptographic protocol and its specification.
- 11 reports concern source-code issues. They highlighted meaningful improvements in the source code.
SwissPost and YwH did not accept 6 reports since they could not be reproduced or did not identify a vulnerability and 3 reports are still under review. Triaging reports is a standard process in bug bounty programs and we took decisions together with our partner YesWeHack.
In total, SwissPost paid out since the last update €23'500 EUR.- rewards to the hunters who submitted the reports.
Cryptography-related issues
YWH-ID | Title | Description | Status | CVSS-severity |
---|---|---|---|---|
#YWH-PGM232-121 | Improve second pre-image resistance of the RecursiveHashToZq and KDFToZq functions |
RecursiveHashToZq and KDFToZq are cryptographic hash functions used in the Swiss Post Voting System to map input data to fixed-length outputs in the finite field Zq. Unfortunately, these functions are susceptible to second preimage attacks under specific conditions. This type of attack involves an attacker finding a message with the same hash value as a given input message, which can allow them to impersonate the original sender or carry out malicious activities. The vulnerability arises because both functions take an upper bound to ensure the output is within the desired domain. If the initial output is larger than the upper bound, the hash operation is repeated, which inadvertently allows attackers to trivially find a second pre-image for that input value. |
Crypto-primitives release 1.2.3 improved RecursiveHashToZq, and crypto-primitives release 1.3.0 improved KdfToZq, to prevent any second pre-image vulnerabilities in these functions.
|
Medium |
#YWH-PGM232-122 |
Crypto-primitives Potential Hash Collision due to the handling of invalid UTF-8 sequences in the 'stringToByteArray' implementation |
As per the Crypto primitives specification, strings are encoded in UTF-8 format. However, while 'ByteArrayToString' checks for malformed UTF-8 sequences, 'stringToByteArray' does not perform any validation. If ill-formed UTF-8 sequences are detected, the 'getBytes' function internally substitutes them by using the '?' character. As a result, a string that contains invalid UTF-8 sequences will be accepted, leading to a potential hash collision scenario since the hash is computed on the bytes resulting from the string encoding. |
Crypto-primitives release 1.3.0 validates the inputs before invoking the stringToByteArray function. |
Medium |
Source-code-related issues
YWH-ID | Title | Description | Status | CVSS-severity |
---|---|---|---|---|
#YWH-PGM2323-106 | Potential Denial of Service attacks in offline components due to highly Compressed Data in ZIP files |
In the SDM, the way files are being extracted in the "unzipToDirectory" method can use up a lot of computer resources, which could cause a problem called a "denial-of-service attack" if the resource usage is much bigger than the data being processed. The zip algorithm can produce very large compression ratios. For example, a file consisting of alternating lines of a characters and b characters can achieve a compression ratio of more than 200 to 1. |
Release 1.3.0 mitigates the issue by encrypting the ZIP file during export in the Secure Data Manager and decrypting it during import, thereby preventing tampering during transit and mitigating potential denial-of-service attacks caused by excessive compression rates. Due to the variability of file sizes between election events, imposing size restrictions on ZIP files is not feasible. However, as the import and export processes are performed during the configuration phase and do not affect the voting server or control components, they can be easily repeated as necessary. Consequently, release 1.3.0 decreases the attack surface, and the potential impact of a denial-of-service attack would be minimal. | Low |
#YWH-PGM2323-109 | Defense-in-depth data sanitization in the voting server can be bypassed | The voting server employs a defense-in-depth mechanism that sanitizes requests based on their content-type, complementing the semantic and syntactic validation performed by all system components. However, the hunter's findings reveal that this mechanism can be bypassed by omitting content-type headers or utilizing multipart request bodies, undermining its efficacy. Nevertheless, no demonstrable attack was identified as a result of these weaknesses. |
Release 1.3.0 comprehensively refactors the voting server by removing the generic sanitization filter present in prior versions. Instead, it mandates that all method parameters and inputs are subjected to validation, which is accomplished via constructor and deserialization validation. This technique aligns with established best practices in input validation, as outlined in the OWASP Input Validation Cheat Sheet. |
Low |
#YWH-PGM232-111 | Potential NPM dependency confusion attacks |
NPM dependency confusion is a type of software supply chain attack that exploits a weakness in the way that package managers like NPM (Node Package Manager) resolve and install dependencies. The attack occurs when a malicious actor publishes a malicious package to a public package registry that has the same name as a legitimate package used by a target organization. |
With Release 1.4, we greatly reduced the number of external dependencies in the JavaScript dependencies in the source, thereby reducing the attack surface for dependency confusion attacks. Subsequently, we reanalysed the issue and concluded that the trusted build process provides a robust defence against NPM dependency confusion attacks, since multiple independent experts build the code independently. |
Low |
#YWH-PGM232-112 | Improvements in XXE attack mitigations. |
The XmlFileRepository class in the SDM employs the Unmarshaller method to read XML files, which can introduce a security vulnerability known as XXE. XXE stands for XML External Entity, which is a type of vulnerability that can occur when an application processes XML input. An attacker can exploit this vulnerability by injecting malicious XML data that contains references to external entities. |
Version 1.2.3 of the E-Voting System and version 1.3.3 of the verifier introduced supplementary security measures to mitigate XXE attacks – see the following commits: |
Medium |
#YWH-PGM232-113 | Potential improvements in consistency checks of identifiers when persisting data on the file system. |
The implementation of the "GenKeysCCR" logic across the SDM, Voting Server and Control Components, validates the signature of the "ControlComponentPublicKeysPayload" only after its contents are persisted to the file system. As a result, a malicious Voting Server can modify the 'electionEventID' value, which is not verified during the consistency checks performed by the SDM after receiving the response from the voting server. |
Version 1.3.0 enhances input validation by verifying the consistency of identifiers between the request and payload. |
Medium |
#YWH-PGM232-114 | Potential consistency check improvements before persisting the vote in the control component’s database. |
The issue is related to the above issue #YWH-PGM232-113 |
Version 1.3.0 reorganizes the validation process for encrypted verifiable votes, ensuring that the control components fully verify the vote's authenticity, including the existence of a valid election event context, before storing it in the database. |
Low |
#YWH-PGM232-115 | Transitive dev dependency with a potential DoS vulnerability | The E-voting system employs the open-source component glob-parent, with versions 3.1.0 and ^3.1.0, which are susceptible to a DoS vulnerability (CVE-2020-28469). Although gulp, a task runner utilized for automating front-end web development, depends on glob-parent as a transitive dependency and is not directly employed in the executable code, we have not detected any concrete attack. Nonetheless, updating the dependency is considered a best practice. |
We updated the version of glob-parent in version 1.2.3 |
Low |
#YWH-PGM232-118 | Use open-source components with known vulnerability |
The E-voting system incorporates the Java library zip4j version 2.11.2, which is susceptible to a medium severity vulnerability (CVE-2023-22899). The issue arises when zip4j fails to authenticate the MAC of decrypted ZIP archives, thereby potentially enabling attackers to manipulate the archive without detection. |
Release e-voting 1.2.3 updated the vulnerable version of Zip4j. |
Medium |
#YWH-PGM232-119 | Transitive dev dependency with a potential DoS vulnerability |
The "decode-uri-component" is an open-source JavaScript library that offers a URI component decoding function. Its version 0.2.0 is susceptible to a denial-of-service vulnerability, identified as CVE-2022-38900. |
Release 1.2.3 updated the vulnerable version of decode-uri. |
Low |
#YWH-PGM232-120 | Potential improvements in consistency checks of identifiers when persisting data on the file system. |
The issue is linked to the issue #YWH-PGM232-113. The SDM does not perform any verification on the mixing payloads received from Control Components via the Voting Server before storing them. Consequently, a malicious Voting Server could manipulate the list of 'ControlComponentBallotBoxPayload' and 'ControlComponentShufflePayload' payloads, altering the 'nodeId', 'electionEventId', and 'ballotBoxId' values to be different from expected. These variables are utilized to generate the files where the payloads are stored. |
Version 1.3.0 enhances input validation by verifying the consistency of identifiers between the request and payload. |
Low |
#YWH-PGM232-126 | Potential issue with filling up a Secure Data Manager’s disk space in a specific exception scenario. | During ZIP file import, the Secure Data Manager creates a temporary directory to unzip the archive. However, if the unzip operation encounters an error, the temporary directory is not deleted. If this error occurs repeatedly, it may result in a buildup of temporary folders containing decompressed ZIP archives, leading to disk space filling up over time. | Release 1.3.0 mitigates the issue by encrypting the ZIP file during export in the Secure Data Manager and decrypting it during import, thereby preventing tampering during transit and mitigating potential attacks that result from tampering with the ZIP file. | Low |