Results from the bug bounty programme, update 31 March 2023
For its e-voting solution, SwissPost is running a public bug bounty program. On 31 December 2022 we made the last update.
Since then, the hunters submitted 22 reports:
- 2 reports concern cryptography-related issues in the cryptographic protocol and its specification.
- 11 reports concern source-code issues. They highlighted meaningful improvements in the source code.
SwissPost and YwH did not accept 6 reports since they could not be reproduced or did not identify a vulnerability and 3 reports are still under review. Triaging reports is a standard process in bug bounty programs and we took decisions together with our partner YesWeHack.
In total, SwissPost paid out since the last update €23'500 EUR.- rewards to the hunters who submitted the reports.
Cryptography-related issues
YWH-ID | Title | Description | Status | CVSS-severity |
---|---|---|---|---|
#YWH-PGM232-121 | Improve second pre-image resistance of the RecursiveHashToZq and KDFToZq functions | RecursiveHashToZq and KDFToZq are cryptographic hash functions used in the Swiss Post Voting System to map input data to fixed-length outputs in the finite field Zq. Unfortunately, these functions are susceptible to second preimage attacks under specific conditions. This type of attack involves an attacker finding a message with the same hash value as a given input message, which can allow them to impersonate the original sender or carry out malicious activities. The vulnerability arises because both functions take an upper bound to ensure the output is within the desired domain. If the initial output is larger than the upper bound, the hash operation is repeated, which inadvertently allows attackers to trivially find a second pre-image for that input value. While the reported attack does not compromise the security properties of verifiability and privacy in the Swiss Post Voting System, the potentially vulnerable methods are used in a limited capacity to prevent attacks. Nonetheless, these methods should be improved to avoid accidental misuse of the crypto-primitives library. Identified thanks to Sylvain Pelissier
|
Crypto-primitives release 1.2.3 improved the RecursiveHashToZq function (including the specification) and release 1.3.0 will improve the KdfToZq function and prevent any second pre-image vulnerabilities in these functions. The following commits contain the corrections: Direct link to the first crypto-primitives-commit Direct link to the second crypto-primitives-commit Direct link to the third crypto-primitives-commit |
Medium |
#YWH-PGM232-122 | Crypto-primitives Potential Hash Collision due to the handling of invalid UTF-8 sequences in the 'stringToByteArray' implementation | As per the Crypto primitives specification, strings are encoded in UTF-8 format. However, while 'ByteArrayToString' checks for malformed UTF-8 sequences, 'stringToByteArray' does not perform any validation. If ill-formed UTF-8 sequences are detected, the 'getBytes' function internally substitutes them by using the '?' character. As a result, a string that contains invalid UTF-8 sequences will be accepted, leading to a potential hash collision scenario since the hash is computed on the bytes resulting from the string encoding. While the Swiss Post Voting System defines the input element domain of the hash functions explicitly, this issue does not result in a demonstrated attack. However, the crypto-primitives library should validate UTF-8 sequences to prevent such scenarios from arising. Identified thanks to Ruben Santamarta (reversemode) |
Crypto-primitives release 1.3.0 validates the inputs before invoking the stringToByteArray function. The following commits contain the corrections: Direct link to the first crypto-primitives-commit Direct link to the second crypto-primitives-commit |
Medium |
Source-code-related issues
YWH-ID | Title | Description | Status | CVSS-severity |
---|---|---|---|---|
#YWH-PGM2323-106 | Potential Denial of Service attacks in offline components due to highly Compressed Data in ZIP files | In the SDM, the way files are being extracted in the "unzipToDirectory" method can use up a lot of computer resources, which could cause a problem called a "denial-of-service attack" if the resource usage is much bigger than the data being processed. The zip algorithm can produce very large compression ratios. For example, a file consisting of alternating lines of a characters and b characters can achieve a compression ratio of more than 200 to 1. The CompressionService does successfully limit the size of each individual file in the archive, merely by, for each file entry in the zip file, reading each data entry using a buffer of initially 1024 bytes. However, the CompressionService does not limit the number of entries contained in the archive, nor does it limit the total archive size. An attacker who somehow manages to overwrite the zip file intended to be provided to the SDM, could create a zip archive containing a huge number of files each decompressing to 1024 bytes or less, to significantly slow down or even crash the machine running the CompressionService. |
Release 1.3.0 mitigates the issue by encrypting the ZIP file during export in the Secure Data Manager and decrypting it during import, thereby preventing tampering during transit and mitigating potential denial-of-service attacks caused by excessive compression rates. Due to the variability of file sizes between election events, imposing size restrictions on ZIP files is not feasible. However, as the import and export processes are performed during the configuration phase and do not affect the voting server or control components, they can be easily repeated as necessary. Consequently, release 1.3.0 decreases the attack surface, and the potential impact of a denial-of-service attack would be minimal. | Low |
#YWH-PGM2323-109 | Defense-in-depth data sanitization in the voting server can be bypassed | The voting server employs a defense-in-depth mechanism that sanitizes requests based on their content-type, complementing the semantic and syntactic validation performed by all system components. However, the hunter's findings reveal that this mechanism can be bypassed by omitting content-type headers or utilizing multipart request bodies, undermining its efficacy. Nevertheless, no demonstrable attack was identified as a result of these weaknesses. | Release 1.3.0 comprehensively refactors the voting server by removing the generic sanitization filter present in prior versions. Instead, it mandates that all method parameters and inputs are subjected to validation, which is accomplished via constructor and deserialization validation. This technique aligns with established best practices in input validation, as outlined in the OWASP Input Validation Cheat Sheet. | Low |
#YWH-PGM232-111 | Potential NPM dependency confusion attacks | NPM dependency confusion is a type of software supply chain attack that exploits a weakness in the way that package managers like NPM (Node Package Manager) resolve and install dependencies. The attack occurs when a malicious actor publishes a malicious package to a public package registry that has the same name as a legitimate package used by a target organization. The Swiss Post Voting System utilizes a "trusted build" process that is not susceptible to NPM dependency confusion attacks. Additionally, if a user follows the build instructions, they will not be at risk since the process relies on a locally downloaded and secure package.json file. Nonetheless, it is recommended that Swiss Post considers implementing additional security measures, such as private npm packages, to further protect against NPM dependency confusion attacks. Identified thanks to Deepanshu Devaliya (golu369) |
We will investigate setting up a npm scope or namespace to avoid dependency confusion type attacks. Will be addressed in a future version. |
Low |
#YWH-PGM232-112 | Improvements in XXE attack mitigations. | The XmlFileRepository class in the SDM employs the Unmarshaller method to read XML files, which can introduce a security vulnerability known as XXE. XXE stands for XML External Entity, which is a type of vulnerability that can occur when an application processes XML input. An attacker can exploit this vulnerability by injecting malicious XML data that contains references to external entities. While the Secure Data Manager includes some measures to prevent XXE attacks by restricting allowable attributes in both the XML and XSD, the current source code does not fully eliminate all potential attack vectors and could benefit from further enhancement. |
Version 1.2.3 of the E-Voting System and version 1.3.3 of the verifier introduced supplementary security measures to mitigate XXE attacks – see the following commits: Direct link to the e-voting commit. Direct link to the verifier commit. |
Medium |
#YWH-PGM232-113 | Potential improvements in consistency checks of identifiers when persisting data on the file system. | The implementation of the "GenKeysCCR" logic across the SDM, Voting Server and Control Components, validates the signature of the "ControlComponentPublicKeysPayload" only after its contents are persisted to the file system. As a result, a malicious Voting Server can modify the 'electionEventID' value, which is not verified during the consistency checks performed by the SDM after receiving the response from the voting server. Eventually, these contents are persisted by using the 'electionEventID' parameter directly obtained from the unverified payload. Although the current process does not permit the bypassing of public key verification, it is advisable to verify that the identifiers in the payloads match those in the request to prevent the overwriting of previously validated public keys. Identified thanks to Ruben Santamarta (reversemode) |
Version 1.3.0 enhances input validation by verifying the consistency of identifiers between the request and payload. See the e-voting commit. |
Medium |
#YWH-PGM232-114 | Potential consistency check improvements before persisting the vote in the control component’s database. | The issue is related to the above issue #YWH-PGM232-113 The reporter demonstrated the possibility of storing entries in the control component's database without a valid election event context. The malicious voting server could achieve this by creating an Election Event and submitting a vote before the control components had the chance to verify its context, thus bypassing certain consistency checks. While this does not result in a direct attack, it can result in the control component's database being left in an inconsistent state. Identified thanks to Ruben Santamarta (reversemode) |
Version 1.3.0 reorganizes the validation process for encrypted verifiable votes, ensuring that the control components fully verify the vote's authenticity, including the existence of a valid election event context, before storing it in the database. See the e-voting commit |
Low |
#YWH-PGM232-115 | Transitive dev dependency with a potential DoS vulnerability | The E-voting system employs the open-source component glob-parent, with versions 3.1.0 and ^3.1.0, which are susceptible to a DoS vulnerability (CVE-2020-28469). Although gulp, a task runner utilized for automating front-end web development, depends on glob-parent as a transitive dependency and is not directly employed in the executable code, we have not detected any concrete attack. Nonetheless, updating the dependency is considered a best practice. | We updated the version of glob-parent in version 1.2.3 Direct link to the e-voting commit |
Low |
#YWH-PGM232-118 | Use open-source components with known vulnerability | The E-voting system incorporates the Java library zip4j version 2.11.2, which is susceptible to a medium severity vulnerability (CVE-2023-22899). The issue arises when zip4j fails to authenticate the MAC of decrypted ZIP archives, thereby potentially enabling attackers to manipulate the archive without detection. Notwithstanding, the relevant files within the ZIP archive are signed to ensure their verifiability, which mitigates the vulnerability and renders it unexploitable. However, updating the library is still considered a best practice. |
Release e-voting 1.2.3 updated the vulnerable version of Zip4j. | Medium |
#YWH-PGM232-119 | Transitive dev dependency with a potential DoS vulnerability | The "decode-uri-component" is an open-source JavaScript library that offers a URI component decoding function. Its version 0.2.0 is susceptible to a denial-of-service vulnerability, identified as CVE-2022-38900. While decode-uri is utilized as a transitive build dependency in the Swss Post Voting system and is not part of the executable code, it is still recommended to update the function as a best practice. |
Release 1.2.3 updated the vulnerable version of decode-uri. Direct link to the e-voting commit |
Low |
#YWH-PGM232-120 | Potential improvements in consistency checks of identifiers when persisting data on the file system. | The issue is linked to the issue #YWH-PGM232-113. The SDM does not perform any verification on the mixing payloads received from Control Components via the Voting Server before storing them. Consequently, a malicious Voting Server could manipulate the list of 'ControlComponentBallotBoxPayload' and 'ControlComponentShufflePayload' payloads, altering the 'nodeId', 'electionEventId', and 'ballotBoxId' values to be different from expected. These variables are utilized to generate the files where the payloads are stored. Although no attacks have been recorded due to the verification of payload consistency before executing the subsequent algorithm, it is still recommended to carry out these checks before storing the payloads, thereby enhancing the system's security. Identified thanks to Ruben Santamarta (reversemode) |
Version 1.3.0 enhances input validation by verifying the consistency of identifiers between the request and payload. See the e-voting commit |
Low |
#YWH-PGM232-126 | Potential issue with filling up a Secure Data Manager’s disk space in a specific exception scenario. | During ZIP file import, the Secure Data Manager creates a temporary directory to unzip the archive. However, if the unzip operation encounters an error, the temporary directory is not deleted. If this error occurs repeatedly, it may result in a buildup of temporary folders containing decompressed ZIP archives, leading to disk space filling up over time. | Release 1.3.0 mitigates the issue by encrypting the ZIP file during export in the Secure Data Manager and decrypting it during import, thereby preventing tampering during transit and mitigating potential attacks that result from tampering with the ZIP file. | Low |
Edited by Swisspost Product