Possible leak of private keys #103
Comments
Image in above have been redacted - available from the security team at the EU; or contact the team of the Kingdom of The Netherlands via security at rdobeheer dot nl. |
Why the Netherlands? The two passes here are signed one with a French key and the other with a Polish key. Is Netherland responsible for the emission of these keys? |
We are passing these on to Poland and France. Unfortunately here in NL we only have the addresses of the project lead / lead architects at those countries; and not their generic security reporting address. And I did not want to delete these keys without leaving at least one option for those that need them to get them again; nor did I want to disclose their names here either without getting their OK. |
Sure, it is perfectly understandable. What worries me is that is unclear how the keys were obtained, and I think that a leak in two different countries is very unlucky event. On some forum there is a script for brute forcing the keys from the public. I don't know if that was the method used but in that case it means that also the other keys are in danger. I attach here the brute force code that I found, to allow you to inspect it. If you don't want to have it public feel free to remove it, but consider that it is already on several social networks/
|
Thanks - that is good information - I'll try to ge the EHN technical team to investigate (as they do not monitor this space closely/it at all). Of course - brute forcing is always an option -- and that is what this scripts seems to do in a very simple, un-systematic way. Which ought to take forever. But the existence of this may suggest it is too easy; which implies a weak key or similar issue - and that needs to be checked. And will also try to get the security contact on this repository updated - to provide a secure channel. If there are things you want to share that are (more) sensitive -- feel free to use https://english.ncsc.nl/report-vulnerability for now. |
Perfect, thanks, I will contact you if I have other information. |
Out of curiosity, why was what I guess is the Hitler certificate removed from the original post? It's already circulating, and won't go away. It should ideally be revoked ASAP (but AFAIU revoking individual certs isn't supported everywhere?), but hiding it won't look good - newspapers will report about this anyway. |
While I cannot speak to the actions of my colleagues in the e-Health-Network, removing these fake certificates in other project-related places is not a matter of hiding this from the press (that is why all other information that cannot be actively abused remains), but a best-practices policy to aim to reduce the spread. Of course, there is no way to prevent this from happening on social media, but nobody wants their support channel to become a spreading factor on top of that. |
I fully agree with this policy and I apologise for posting them here in the first place but I had no idea how to report this and I think it was important to have an "official" place to discuss this issue. |
You have all the information to contact the French security agency, including PGP key, here: https://www.cert.ssi.gouv.fr/contact/ |
The right French team has been informed a few hours ago - and has confirmed they are on it.
|
There's another forged QR code from the same forum that seems to have been issued by the German health authority, with some text in Finnish in the name area; is there a simple way for me to extract the correlated public key without publishing the QR here? |
@Valeri0p The 'DCC Scanner App' by the government of The Netherlands gives advanced info under the results. Such as:
|
Valeri0p, you can use the scripts here to verify the key: https://github.com/ehn-dcc-development/ehn-sign-verify-python-trivial |
While it seems to be correct in what it does, the fact that they use ThreadPool in Python expecting to gain any performance is pretty funny. |
Here are my diagnostic scripts, they're a bit hacky but yet :) Mail me if you need a hand (see my profile) https://github.com/ryanbnl/eu-dcc-diagnostics |
Well, not if they're using the |
Beware that ECDSA signatures can leak the private key if the ECDSA signature is created using a bad RNG. See the Sony hack and the Chaos computer club. |
Code for the mis-issued german certificate: QR Code:
Output from verification attempt:
|
@intUnderflow I've hid your post for now, I need to confirm that it does not contain any personal information :) |
This comment has been minimized.
This comment has been minimized.
@ryanbnl the comment is still visible if you click the "show comment" button to the right. From what I can see, @intUnderflow 's paste contains fake personal data. |
Thanks, I've removed anything that can be PII. |
This comment has been minimized.
This comment has been minimized.
I would also re-iterate: the news reports that a DSC - the SIGNING key - has been leaked do not appear to in any way reflect reality. |
@ryanbnl : From what I could find in this issue and in other places, it seems that only a few wrong vaccination passports are in circulation, not an actual signing key? @emanuelelaface does this match what you saw? I just had someone creating vaccination certificates explain the process to me again, and there is very little security built into the system of creating vaccination certificates on site. As such, isn't the more likely scenario the creation of rogue vaccination certificates, not leaking/brute forcing of the signing keys? |
You might want to remove the key ids as well as the originals are a Google search away... |
No key leaks, nothing confirmed yet at least. |
We definitely need a facepalm reaction on github... |
The password is a salted MD5 hash in APR1 format:
The pull request was opened on 21 may. The plain text value of the password was not commited. The pull request has only one commit. It should only possible to bruteforce the password, if a simple password was used. 🤔 |
As @Xiloe stated:
So no need to bother with those creds... @manfred-kaiser simply not needed 🤦 |
That's a really bad 😞 |
@PLTorrent would you mind sharing the endpoints and details? Via the security.md instructions here, or if that for some reason is not possible, then share with my via Telegram (@bunchofcoconutz) so that I can share with my colleges in the EU. |
I think it's better not to share details about the attack vector on a public channel, when most systems are not protected. Those information should be shared in a private group or sent to the certs. |
I would strongly suggest that an upgrade to bcrypt as password hash as well, although the default password is of course a bigger issue. 1000 rounds of MD5 and a 48 bit random salt is not considered very secure; it won't add much protection to weaker passwords. |
Exactly, via the contact address in security.md or to me via Telegram (so with e2e encryption. Thanks for the clarification: please share responsibly - so via a secure channel, with people who you can verify/identify. |
If this public hash was really the source of the bogus certificates I hope the responsible people make sure this gets framed as "human mistake, can happen, we'll make sure that this does not happen again" (ideally with some automatisms that try to detect credentials in PRs or git commits in general) and not "this is why such things should not be done in the open" - I'm sure some newspapers would love to frame it as the latter. "Open Source destroys trust in COVID certs" or crap like that. |
In case nobody else has got there already, I've just sent some details over via the ncsc.nl form. |
@ryanbnl I have simply found the .htpasswd in the repo, nothing more.
@ThiefMaster It was not. @Xiloe already confirmed that the endpoints he found were not protected in any way bar one in DE that had "pin.health" authorization |
I think it's better to share details about the attack vector, so everyone can check, this is how opensource works |
That is not how responsible disclosure works. |
As long as the systems are unprotected, this can result in more fake certificates. Perhaps it's possible, that each country can provide some contacts (e.g national certs). It's common for open source software not providing public information before vulnerabilities are closed. |
Can you send it directly to our security team? There is a process @ NCSC.nl that will cause a delay. |
Please also send information to austrian certs: |
Most mature open source organisation use something called Responsible Disclousre - where details of attack vectors are kept confidential while the issue is fixed. And generally made public when enough of the estate is protected. A good example is at https://www.apache.org/security/ The EHN network (and most EU countries) follow substantially the same appraoch. |
Yes but someone can post it anyway and your risk is to loose credibility |
It seems pretty clear now, given the public information and (https://twitter.com/Xiloeee/status/1453493664806735876), that some unsecured dgca-issuance-web instances are running somewhere and are the source of the fake DGCs. I think this should be enough info for the eHN to urge members to go and secure all of the issuance-web instances (the members should know where they run these instances). |
https://github.com/eu-digital-green-certificates/dgca-issuance-web here :) |
Could we please stay focused here and refrain from insults? Also, it won't help anyone bringing politics into this discussion and only makes it more likely that this issue gets locked. I really hope this issue does not get locked, as this issue seems like a very good place where people with knowledge share their investigations. So please, come down everyone and stay focused! Thank you! |
@BLeQuerrec I know it's not quite relevant anymore since—as @Xiloe pointed out—the page is down now, however, 2 seconds of Google yields @nicolasjms @mamillmsft @snf @JosephBialekMsft @axsdnied @saaramarmsft as MSRC contacts easily taggable on github |
it now redirects to https://vakcinacija.mk/ |
@Xiloe how about the other ones? |
+their contact entry point for vulnerabilities is https://msrc.microsoft.com/create-report, but for issues like this one, one should instead check https://cert.microsoft.com/, which currently redirects to https://msrc.microsoft.com/report/abuse, and to where I've just submitted a report pointing to this thread here (don't worry, I didn't put the URL to the thread into the source URL field, I put example.invalid in there & put the URL in the comments, lest someone briefly thinks the issue this generates in their system relates to Github itself, which'd be bad, given that they own & run it.) but I'd recommend you submit the URL you found to there anyway @BLeQuerrec @Xiloe or whoever has it, despite the fact that it's already down by now I think they'll need all the help which they can get. Also, good morning y'all. |
This is not an issue with the technical specification, I will move this to discussions. |
On various groups (Telegram mainly) are circulating several forged Green Pass with valid signature, I attach two here.
<< image redacted - available from the security team >>
<< image redacted - available from the security team >>
I verified with my application and found that these two certificates are signed with the keys corresponding to these two public keys:
kid: 53FOjX/4aJs=
key: <EllipticCurvePublicNumbers(curve=secp256r1, x=59224424711316661084877973301841821584140021680113528472675651838972371380627, y=54841068689176540860306147861276004028606373898471432794562118907413910993957>
kid: HhkeqvrtQ0U=
key: <EllipticCurvePublicNumbers(curve=secp256r1, x=58474994431552591028397454866551462597403245555156280299836700796569353760692, y=94160389532428263599765213184431546448511972729790083405292977908540518398962>
There is the possibility that a database of private keys is compromised and this may ends up in a break of the chain of trust in the Green Pass architecture. I am not sure to who this should be reported, so I write this here.
The text was updated successfully, but these errors were encountered: