漏洞标题
libosdp中RMAC还原到会话开始的漏洞
漏洞描述信息
N/A
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
漏洞类别
将资源暴露给错误范围
漏洞标题
RMAC revert to the beginning of the session in libosdp
漏洞描述信息
libosdp is an implementation of IEC 60839-11-5 OSDP (Open Supervised Device Protocol) and provides a C library with support for C++, Rust and Python3. In affected versions an unexpected `REPLY_CCRYPT` or `REPLY_RMAC_I` may be introduced into an active stream when they should not be. Once RMAC_I message can be sent during a session, attacker with MITM access to the communication may intercept the original RMAC_I reply and save it. While the session continues, the attacker will record all of the replies and save them, till capturing the message to be replied (can be detected by ID, length or time based on inspection of visual activity next to the reader) Once attacker captures a session with the message to be replayed, he stops resetting the connection and waits for signal to perform the replay to of the PD to CP message (ex: by signaling remotely to the MIMT device or setting a specific timing). In order to replay, the attacker will craft a specific RMAC_I message in the proper seq of the execution, which will result in reverting the RMAC to the beginning of the session. At that phase - attacker can replay all the messages from the beginning of the session. This issue has been addressed in commit `298576d9` which is included in release version 3.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS信息
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
漏洞类别
通信信道中传输过程中消息完整性的不正确执行
漏洞标题
LibOSDP 安全漏洞
漏洞描述信息
LibOSDP是goToMain开源的一个 IEC 60839-11-5 开放式监控设备协议的跨平台开源实现。旨在提高访问控制和安全产品之间的互操作性。 LibOSDP 3.0.0之前版本存在安全漏洞,该漏洞源于可能会在活动流中引入意外的REPLY_CCRYPT或REPLY_RMAC_I,而它们不应该出现,一旦RMAC_I消息可以在会话期间发送,具有MITM通信访问权限的攻击者就可以拦截原始RMAC_I回复并保存。
CVSS信息
N/A
漏洞类别
其他
