Vulnerabilities in Basware Banking

Two vulnerabilities have been discovered in a banking software used for corporate payments. Leveraging these vulnerabilities requires access to the internal network of the organization.

Basware Banking is a software program used for corporate payment processing. Two vulnerabilities have been discovered in this program. The first vulnerability (CVE-2015-0943) may allow an attacker to access or modify sensitive information due to the lack of transport encryption between client and server.

The second vulnerability (CVE-2015-0942) could be used to circumvent some protections related to access control. In a typical installation no access to the system is allowed from public networks which limits the risk caused by these vulnerabilities.

Vulnerability coordination

The vulnerabilities were discovered by Samuel Lavitt. NCSC-FI would like to thank him and Basware for participating in the coordination.

  • Servers and server applications
  • Workstations and end-user applications
  • Network devices
  • Mobile communications systems
  • Embedded systems
  • Others

Target

  • Servers and server applications
  • Workstations and end-user applications
Further information +

Attack vector

  • No authentication required
  • Remote
  • No user interaction required
Further information on the access vector +

Impact

  • Editing of information
  • Obtaining of confidential information
  • Security bypass
Further information on the impact +

Remediation

  • Software update patch
Further information on the remediation +

Vulnerable software:

Basware Banking 9.10.0.0 and previous versions

Possible solutions and restrictive measures:

There is an update available for the access control vulnerability (CVE-2015-0942). Make sure that the software is updated according to the vendor's instructions to version 9.10.0.0 or later.

According to the vendor, native transport encryption has been implemented in version 9.10.0.0. After implementing encryption, changing the credentials used by the software should be considered.

Both of the vulnerabilities can be mitigated by restricting access to the software from designated workstations only.

Further information:

Contact Information

NCSC-FI Vulnerability Coorination can be contacted as follows:
Email: vulncoord@ficora.fi
Please quote the advisory reference [FICORA #802102] in the subject line.

Telephone:
+385 295 390 230
Monday - Friday 08:00 – 16:15 (EET: UTC+2)

Post:
Vulnerability Coordination
FICORA / NCSC-FI
P.O. Box 313
FI-00181 Helsinki
FINLAND

NCSC-FI encourages those who wish to communicate via email to make use of our PGP key. The key is available at https://www.viestintavirasto.fi/en/informationsecurity/ficorasinformationsecurityservices/vulnerabilitycoordination.html

Update 29.7.2015:

Vulnerability details have been published on the Full Disclosure mailing list: http://seclists.org/fulldisclosure/2015/Jul/120

Update 7.8.2015:

Updated update information related to CVE-2015-0943

Update history

Key words: Information security , CERT , NCSC-FI , Vulnerability coordination , Vulnerabilities

LinkedIn Print

logo

The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313

FI-00180 HELSINKI


Media contacts by telephone +358 295 390 248