Exploration of Entersekt Transakt secure gateway - a security analysis

The product “Transakt” from Entersekt is known / used in financial market latest since European PSD2 as 2-FA authentication. There are whitelabel smartphone apps from different financial institutions play store search for ‘com.entersekt.authapp’

They may use the “secure gateway” hardware as on-premise installation.

In my project I have regular access to such hardware and it has been on my personal to-do list for a while to analyze this gateway.
I’m sure they take care of they products!

A SSH login is possible, but Entersekt does not provide the node specific credentials.

I took the brute force route due to lack of SSH access.

Power off the node, took one of the two SSD disc off
Clone whole disk to work on a copy on an external PC:
```
dd if=/dev/sda of=/dev/sdb
```
Remove original disk from external PC
Start Linux, here gparted Live was used
```
lsblk
fdisk -l
```

great! it’s a ‘linux_raid_member’ raid 1

sda1 –> md127 –> root
sda2 –> md124 –> boot

mdadm --stop /dev/md127
mdadm --stop /dev/md124 

mdadm --assemble /dev/md127 /dev/sda1 --run
mdadm --assemble /dev/md124 /dev/sda2 --run 

mount /dev/md127 /mnt/root
mount /dev/md127 /mnt/boot 

There are no secrets any longer 😉

I have now analyzed current firmware GA 22.1-106 for possible vulnerabilities.

I wrote an e-mail with my findings on 08.12.2022 and a question on 16.12.2022
I did it via Twitter on 29.12.2022 again.
No response at all.
The question was simple: Do you plan to update the firmware in the near future to an up-to-date status?

Ok! Currently I have found NO concrete new vulnerabilities but a lot of outdated software.
I was surprised to find these versions.

The system is running at
cat /etc/centos-release

CentOS Linux release 7.9.2009 (Core)

cat /etc/os-release

NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
...

Based on kernel vmlinuz-3.10.0-1160.53.1.el7.x86_64

Some software stack lowlights:

In this case at least the outdated HAproxy 1.5 branch with 1.5.18-9 is even helpful because no known HTTP request smuggling like CVE-2019-18277 or CVE-2021-40346 is possible. Bad for me.
The OWASP dependency checker found a lot of known vulnerabilities in the tomcat war webapps.
Even though these may not be exploitable, updates should be applied.
- RunAsRoot.jar: Vulnerable Dependencies: 25
- SuperDoctor5: Vulnerable Dependencies: 44
- sg /ecertx509server1/: Vulnerable Dependencies: 5
- sg /ROOT/: Vulnerable Dependencies: 12
- sg-console-web /ROOT/ (version 202202172243.18): Vulnerable Dependencies: 17
Just to name a few outdated components:
- Java openJDK 8u262-b10 from 2020.
- Tomcat 9.056 from December 2021
- Vaadin 7.7.17 from December 2019
- Apache Shiro 1.6.0
- Apache Cassandra 3.11.11 but without the vulnerable configuration to get RCE
- ….. The rest of the component versions they know themselves.

Now, I’m in challenge accepted mode to find a new vulnerability.

I need a vulnerability as HTTP request smuggling or SSRF on they SOAP or REST endpoints or Vaadin UI to be able to trigger my own localhost call of RunAs service.
Because I have the assumption that I could give additional unix bash shell commands as payload in one of the internal REST calls.

The access should be possible only from internal network behind a DMZ. There is an open public port, but this is mTLS secured.
In summary, only interesting for an internal attacker?

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

Written on January 4, 2023 | Last modified on January 5, 2023