The Online-Ausweis-Funktion eID scheme in the German National Identity card through 2024-02-15 allows authentication bypass by spoofing. A man-in-the-middle attacker can assume a victim's identify for access to government, medical, and financial resources, and can also extract personal data from the card, aka the "sPACE (Spoofing Password Authenticated Connection Establishment)" issue. This occurs because of a combination of factors, such as insecure PIN entry (for basic readers) and eid:// deeplinking. The victim must be using a modified eID kernel, which may occur if the victim is tricked into installing a fake version of an official app. NOTE: the BSI position is "ensuring a secure operational environment at the client side is an obligation of the ID card owner."
History

Wed, 06 Nov 2024 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Ausweisapp
Ausweisapp online-ausweis-funktion
Weaknesses CWE-290
CPEs cpe:2.3:a:ausweisapp:online-ausweis-funktion:*:*:*:*:*:*:*:*
Vendors & Products Ausweisapp
Ausweisapp online-ausweis-funktion
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-02-15T00:00:00

Updated: 2024-11-06T17:24:04.694Z

Reserved: 2024-01-19T00:00:00

Link: CVE-2024-23674

cve-icon Vulnrichment

Updated: 2024-08-01T23:06:25.298Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-02-15T23:15:08.827

Modified: 2024-11-21T08:58:08.697

Link: CVE-2024-23674

cve-icon Redhat

No data.