The COVID-19 pandemic forced several governments across the world to restrict civil liberties and movements. However, with new technologies such as contact tracing apps to aid in tracking and containing the spread of the virus, some governments are now able to slow lift previously imposed restrictions. Ironically, a remote code execution (RCE) vulnerability was uncovered in the underlying (application) infrastructure of Germany’s official COVID-19 contact tracing app, the Corona-Warn-App (CWA).
According to researcher Alvaro Muñoz, the vulnerability was first discovered when he, along with his team at GitHub Security Lab, was chasing RCE vulnerabilities on the platform and found one in the infrastructure supporting Germany’s CWA for Android and iOS. Fortunately, the team was able to mitigate the issue using the SAP gateway and termed it as a server-side vulnerability with little to no loss of data.
Since RCE vulnerabilities allow attackers to run malware on the vulnerable computer, “this vulnerability had the potential to affect the integrity of Germany’s COVID-19 response and as such warranted an immediate response from our team,” said Muñoz.
The bug was located in the Submission Service, a microservice developed atop the Spring Boot framework. This framework handles validating the information submitted in the app and utilizes a function called the Submission Controller to verify user-supplied information, which is validated by the Valid Submission Payload validator.
Muñoz said that the ramification was because any POST requests sent to the Submission Service are allowed by default and require no further authorization or authentication. Since the Submission Service itself is publicly exposed, it’s more prone to RCE vulnerabilities.
How to mitigate such attacks
The Corona-Warn-App notifies the user if they come in contact with a COVID-19 patient, and tampering with data like this can be detrimental. Therefore, a strong security solution that can detect remote code executions and any other malicious intrusions is of vital importance.
Log360, ManageEngine’s comprehensive SIEM solution, can detect suspicious software and malware installation, remote code executions, lateral movements, and more.
