An issue has been identified in the infrastructure that powers the Corona-Warn-App on Android and iOS.
Experts from GitHub Security Labs have discovered a critical vulnerability in the official German Corona-Warn-App (CWA) application for tracing contacts with patients with coronavirus infection (COVID-19). Its exploitation could allow an attacker to remotely execute arbitrary code.
The vulnerable code was in the Submission Service, a microservice built on top of the Spring Boot framework that validates information submitted by CWA users. To do this, the SubmissionController function is used, which checks various aspects of the information provided by the user, for example, the completion of all required fields. The data is validated by the ValidSubmissionPayload validator.
“If any validated properties of the bean are passed into a custom constraint violation template, the attacker-controlled property will evaluate to an Expressional Language, allowing arbitrary Java code to be evaluated,” the researchers explained.
Any POST requests sent to the Submission endpoint are allowed by default and do not require additional authorization or authentication. And the presentation endpoint itself is publicly accessible, allowing remote communication.
A team of experts informed SAP about their findings and worked with it to fix the problem.