SEC Consult specialists found vulnerabilities in the eIDAS authentication system used to confirm the identity of European citizens in interstate transactions.[dropcap]I[/dropcap]ncorrect verification of digital certificates allowed attackers to conduct operations on behalf of another person, as private or legal entities.
The eIDAS system (electronic IDentification, Authentication and trust Services, electronic identification, authentication and trust assessment services) was created in 2014. It provides cross-border information exchange between EU member states, allowing you to check the legitimacy of transactions on national databases.
The main role during operations in the system is played by the so-called eIDAS nodes (eIDAS-Node). It is they who send and receive requests for data verification, ensure the exchange of information between the pan-European infrastructure and the bases of each individual state. The communication process is based on the open SAML markup language.
As the researchers explained, the problem is due to incorrect verification of the signature, confirming the legitimacy of the response to the request.
Upon receipt of a SAML message, the application verifies its digital signature, but does not specify whether the certificate based on which it was created is correctly signed. Thus, attackers got the opportunity to falsify the certificate and conduct a transaction on behalf of any person, if it is listed in the eIDAS database.
“Current versions of the eIDAS-Node package fail to validate certificates used in eIDAS operations, allowing attackers to fake the certificate of any other eIDAS citizen or business. To carry out the attack, a threat actor only needs to initiate a malicious connection to an eIDAS-Node server of any member state, and supply forged certificates during the initial authentication process”, — report SEC Consult specialists.
Researchers have successfully tested their attack scenarios on legitimate European Commission applications. According to them, the mechanics of the vulnerability they have discovered can be affected by information systems that work with eIDAS nodes in local organizations in European countries. Because of this, experts found it difficult to assess the overall magnitude of the threat.[box]Experts urge users of eIDAS-Node software to install the 2.3.1 update, which is already available on the developer’s website. In addition, eIDAS node operators should look for signs of illegitimate transactions in their areas of responsibility.[/box]