German COVID-19 Contact-Tracing Vulnerability Allowed RCE

1

A security vulnerability in the infrastructure underlying Germany’s official COVID-19 contact-tracing app, called the Corona-Warn-App (CWA), would have allowed pre-authenticated remote code execution (RCE).

Researcher Alvaro Muñoz wrote in a report this week that he and his team at GitHub Security Labs were chasing down RCE vulnerabilities on the platform and found one in the infrastructure supporting CWA for Android and OS. The team said it worked with SAP to mitigate the issue, adding as a server-side issue, the mobile apps themselves were not impacted, and that no data was collected beyond a device’s IP address.

“There appeared to be a pre-authentication RCE vulnerability in Corona-Warn-App Server, which drives Germany’s COVID-19 contact-tracing application infrastructure,” according to Muñoz. “This vulnerability had the potential to affect the integrity of Germany’s COVID-19 response and as such warranted an immediate response from our team.”
The Bug

The vulnerable code was located in the Submission Service, which is a micro service developed on top of the Spring Boot framework responsible for validating the information that CWA users submit.

This uses a function called the SubmissionController, which verifies various aspects of the user-supplied information, such as making sure all mandatory fields are filled out. The data isvalidated by the “ValidSubmissionPayload” validator.

“As explained in our previous research on Java Bean Validation vulnerabilities, if any validated bean properties flow into a custom constraint violation template, [an] attacker-controlled property will be evaluated as an Expressional Language (EL) expression, which allows for the evaluation of arbitrary Java code,” the researcher explained.

This turns out to be the case for two of the validation checks on the user supplied submissions: One checks to make sure that the “visited countries” information is valid, and the other checks to make sure the origin country is valid.

The upshot, the researcher said, is that any POST requests sent to the Submission endpoint are allowed by default and require no further authorization or authentication. And the Submission endpoint itself is publicly exposed, allowing remote contact.

CWA was commissioned by the German government and built by SAP and Deutsche Telekom using the GitHub development platform. It functions by exchanging anonymous tokens through the exposure notification API from Apple and Google, over Bluetooth Low Energy. The log is saved for 14 days. If the user tests positive, the anonymous log is submitted to the CWA server, which keeps track of exposure and can then, in turn, alert people to isolate after a set amount of exposure.

“The app informs us if we have had contact with a person diagnosed with COVID-19,” according to the CWA site. “It protects us and others around us, as well as our privacy.”

The app was released in June after only 50 days in development, according to SAP. The timeline was supercharged by making the open-source project available to the public on GitHub.

“More than 109,000 visitors viewed the code and approximately 7,250 community and project members participated,” SAP said in a statement in June about the app’s release. “The Corona-Warning-App is the largest open-source project ever implemented in Germany on behalf of the German government.”

For their part, GitHub is touting the finding of the bug as a success for both open source and the fight against COVID-19.

“This research is yet another example of open source saving the day – without involving the broader development community, GitHub Security Lab would not have been able to discover and help fix this vulnerability, risking a mission critical piece of infrastructure in the global fight against COVID-19,” Jamie Cool, vice president of product management, security at GitHub told Threatpost.
Contact-Tracing and Privacy

Privacy concerns have been a barrier to adoption of contact-tracing apps, which require widespread use to be valuable. People are leery about handing over their location data to government entities.

In Sept., the nonprofit Electronic Frontier Foundation warned about the possible implications of contact tracing apps to be used to stifle free speech protections, specifically calling out California’s lack of privacy considerations in developing a tracing app for the state.

“Privacy protections are necessary to public health programs, particularly when a program needs high levels of participation to be effective,” EFF’s Hayley Tsukayama wrote in a blog post in Sept. “People will not use applications they can’t trust. That’s why EFF and other privacy groups have called on Governor Newsom to place basic privacy guardrails on any contact-tracing program run by or with the state.”

Also, Utah’s “Healthy Together” app was slammed last May for throwing out the Google and Apple API which assigns an anonymous identifier beacon to protect privacy and instead using a system developed for a social-networking site which critics said collected gobs of user location data.

Muñoz said building these applications on open source not only offers transparency to users about what data is being collected and where its going, but it also allows others to help spot security holes, which in turn builds critical public trust.