ID Product Version Vulnerability
CVE-2019-25020 Scytl Secure Vote (sVote) 2.1 Unauthenticated REST Endpoints leading to Secure-Data-Manager admin configuration leak

Description

All specified Jax-RS REST endpoints in the application don't require authentication.
An example can be found in the following file: 
evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/sdm-ws-rest/src/main/java/com/scytl/products/ov/sdm/ui/ws/rs/application/PreconfigurationResource.java



@RequestMapping(method = RequestMethod.POST, produces = "application/json")
@ResponseStatus(value = HttpStatus.CREATED)
@ApiOperation(value = "Get configuration", notes = "Service to retrieve the configuration of administration"
    + " boards and election events.", response = String.class)
public String createElectionEvent() throws IOException {

    transactionInfoProvider.generate(tenantId, "", "");

    secureLogger.log(Level.INFO, new LogContent.LogContentBuilder()
            .logEvent(SdmSecureLogEvent.SDM_SYNCHRONIZING_WITH_AP)
            .createLogInfo());

    String result = null;
    if (!isAdminPortalEnabled) {

        LOGGER.info(
                "The application is configured to not have connectivity to Admin Portal, " +
                        "check if this is the expected behavior");

        secureLogger.log(Level.ERROR,
                new LogContent.LogContentBuilder()
                        .logEvent(SdmSecureLogEvent.SDM_SYNCHRONIZATION_WITH_AP_FAILED)
                        .additionalInfo("err_desc",
                                "The application is configured to not have connectivity to Admin Portal, " +
                                "check if this is the expected behavior")
                        .createLogInfo());
    }
    // call to end point to download data from administration portal
    else if (preconfigurationRepository.download(configFile)) {
        // process the download data
        result = preconfigurationRepository.readFromFileAndSave(configFile);
    }

    secureLogger.log(Level.INFO, new LogContent.LogContentBuilder()
            .logEvent(SdmSecureLogEvent.SDM_SYNCHRONIZED_WITH_AP_SUCCESSFULLY)
            .createLogInfo());

    return result;
}
The admin portal is enabled by default: 
evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/sdm-ws-rest/sdmConfig/admin_portal.properties:adminPortal.enabled=true
evoting-solution-master/source-code/online-voting-secure-data-manager/secure-data-manager-backend/secure-data-manager-services/src/main/java/com/scytl/products/ov/sdm/infrastructure/preconfiguration/PreconfigurationRepositoryImpl.java:    @Value("${adminPortal.enabled:true}")
By sending a post request to the following api admin configurations can be recieved.: 
/sdm-ws-rest/preconfiguration


Timeline

Date Event
February 11 2020 Submitted vulnerability to vendor
February 13 2020 Submitted additional details to vendor
February 13 2020 Vendor response (nofix)

Credits

Name Team
Anthony Schneiter SUID
Jannis Kirschner SUID