Major vulnerability patched in the EU's eIDAS authentication system

Exclusive: Vulnerability would have allowed attackers to pose as any EU citizen or business.

eu-flags-berlaymont.jpg

(Image: file photo)

European authorities have released today a patch for the eIDAS system. The patch fixes two security flaws that could allow an attacker to pose as any EU citizen or business during official transactions.

eIDAS stands for electronic IDentification, Authentication and trust Services. It is a very complex, cryptographically-secured electronic system for managing electronic transactions and digital signatures between EU member states, citizens, and businesses.

The EU created eIDAS in 2014 to allow member state governments, citizens, and businesses to carry out cross-border electronic transactions that can be verified against official databases in any country, regardless of the origin state of the transaction.

eIDAS-Node is the official software package that government organizations run on their servers to support eIDAS-friendly transactions against their private databases.

Due to this crucial role, any vulnerabilities in the eIDAS-Node software can allow attackers to tamper with official EU digital transactions, such as tax payments, bank transfers, goods shipments, and others.

Two vulnerabilities found in eIDAS-Node

In a report shared exclusively with ZDNet last week, security researchers from SEC Consult said they found two such vulnerabilities that could allow an attacker to pose as any EU citizen or business.

SEC Consult researchers said they found that current versions of the eIDAS-Node package fail to validate certificates used in eIDAS operations, allowing attackers to fake the certificate of any other eIDAS citizen or business.

To carry out the attack, a threat actor only needs to initiate a malicious connection to an eIDAS-Node server of any member state, and supply forged certificates during the initial authentication process.

"We have demonstrated this attack in our setup using the application provided by the European Commission. Therefore, we generally expect this attack to be feasible," Wolfgang Ettlinger, SEC Consult Senior Security Consultant, told ZDNet in an email today.

"However, we do not have detailed information about the configuration or additional security measures of the deployed production systems," Ettlinger added. "We, therefore, are unable to give information about which member state was affected to which degree."

A spokesperson for the European Commission's CONNECT division acknowledged an email from ZDNet but declined to comment publicly.

An update to the eIDAS-Node software package is scheduled to be released today (v2.3.1), along with a security advisory urging member states to update eIDAS-Node.

Technical details about the two vulnerabilities are available in SEC Consult's security advisory that is scheduled to go live later today.