A loophole in the server backend of the German Corona warning app enabled remote code execution (RCE). The actual app was not affected. According to SAP, the loophole was not exploited. Personal data could not be accessed via the interface.

Although the contact recognition of the Corona warning app works decentrally on the smartphones, but the distribution of the random identifiers of infected people to the app runs via a central server.

Sylvester Tremmel has looked at the source code of the Corona warning app and explains the background to the gap

The gap was in the interface to Transmission of positive test results to the server. This is publicly available and does not require authentication. Only a TAN is required for the transmission of a positive result. The TAN is checked by an additional verification server, but only after it has been processed by the vulnerable code. So no positive corona test was necessary for using Lücke.

In the worst case, it would have been possible to write your own code the server and possibly smuggle in falsified results. In a blog post, SAP writes that the elimination of the vulnerability shows that “the open source and community process works perfectly and makes a decisive contribution to the security of the operation of the Corona warning app.”

Fund by GitHubs Security Lab The source code of the app and the of the server are publicly on GitHub. The vulnerability was found by chance by GitHubs Security Lab. Its researchers had looked for patterns for “Java Bean Validation” gaps in order to integrate the recognition patterns into the platform’s automatic code-scanning tools. During the search, they also found the hole in the code for the servers of the Corona warning app. There, the output of an error message was interpreted as a code.

After the discovery, the discoverers reported the vulnerability to SAP. Four days later it was closed for the time being and version 1.5.1 of the server was released. After tests by SAP and BSI, a second, more reliable fix was installed. The current version is 1.6.0 of the server.

A fork of the German Corona warning app is also being used in Belgium. However, the fork was created before the hole appeared in the code of the Corona app server. GitHub recommends that all countries that operate public or private forks of the server also apply the fix.

(mls)