Skip to content

RMAC revert to the beginning of the session

Moderate
sidcha published GHSA-xhjw-7vh5-qxqm Mar 7, 2024

Package

libosdp (C Library)

Affected versions

< 3.0.0

Patched versions

3.0.0

Description

  • Issues:
    • SCS_14 is allowed on encrypted connection (osdp_phy.c)
    • No validation for RMAC_I is only in response to osdp_SCRYPT (osdp_cp.c)
    • Couldn't find anything specific in the OSDP specifications indicating it is forbidden, I'm gussing it shouldn't be allowed according from the secure connection initialization flow (let me know if you think there is spec-rela
      ted change that should be done)
  • Attack:
    • Once RMAC_I message can be sent during a session, attacker with MITM access to the communication may intercept the original RMAC_I reply and save it.
    • While the session continues, the attacker will record all of the replies and save them, till capturing the message to be replied (can be detected by ID, length or time based on inspection of visual activity next to the reade
      r)
    • Once attacker captures a session with the message to be replayed, he stops reseting the connection and waits for signal to perform the replay to of the PD to CP message (ex: by signaling remotly to the MIMT device or setting
      a specific timing).
    • in order to replay, the attacker will craft a specific RMAC_I message in the proper seq of the execution, which will result in reverting the RMAC to the begining of the session.
    • At that phase - attacker can replay all the messages from the begining of the session.

Impact

Replay attack

Patches

This issue has been fixed in 298576d

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2024-52288

Weaknesses

No CWEs

Credits