Bundeswehr VDPBw 50+ reported vulnerabilities

[Vulnerability Lab <research () vulnerability-lab com>]

Department: Bundeswehr - CIR

Title: Over 50 reported weaknesses - a first conclusion on the
VDPBwVulnerability Disclosure Policy of the Bundeswehr

---
Date: 2020-12-03
Location: Bonn (Germany)
Reading Time: 5 min
---

Over 50 reported weaknesses - a first conclusion on the
VDPBwVulnerability Disclosure Policy of the Bundeswehr

At the end of October, the Bundeswehr called on IT security researchers
to actively inform the Bundeswehr of weak points in their IT systems -
with success. After seven weeks, the Chief Information Security Officer
of the German Armed Forces (CISOBwChief Information Security Officer),
Major General Jürgen Setzer, draws an initial positive conclusion.

Picture:
https://www.bundeswehr.de/resource/image/4842446/landscape_ratio16x9/800/450/3d229851c128e18c92868b2b4d071a0/Ne/ciso-juergen-setzer-erklaert-den-soldaten-was.jpg
With the Chief Information Security Officer of the Bundeswehr, Major
General Jürgen Setzer, there is overall responsibility for cyber
security in the Bundeswehr.
(c) Bundeswehr / Martina Pump


General, around seven weeks have now passed since the Bundeswehr's
Vulnerability Disclosure Policy was launched. What is your first conclusion?

On October 22nd, we launched the Bundeswehr's Vulnerability Disclosure
Policy (VDPBwVulnerability Disclosure Policy of the Bundeswehr) and
called on us to actively point out weaknesses in the Bundeswehr's IT
systems. Since then, over 20 IT security researchers have participated
and submitted numerous reports regarding possible vulnerabilities. We
initially assessed these reports to determine whether they were any
weaknesses within the meaning of the Bundeswehr's VDPBwVulnerability
Disclosure Policy. If this is the case, we will act immediately. We have
already fixed some weaknesses, others, more complex ones, are still
being worked on.

Our big thanks and respect go to all IT security researchers who
contribute to making the IT systems of the Bundeswehr more secure. We
show this publicly with the individual entry and the attribution on our
thank you page.

Can you tell us which weak points in the Bundeswehr IT information
technology are involved here?

Yes, the majority of these are cross-site scripting weaknesses and
configuration errors in our websites in the Bundeswehr. But the IT
security researchers also showed us SQL injections and remote code
execution options. With the help of the reporters and their detailed
documentation, we have already been able to close them.

When it comes to breaking new ground, there is certainly also criticism
of the path taken. What does it look like?

https://www.bundeswehr.de/resource/image/4842442/landscape_ratio16x9/800/450/ad8225d86ba5d50462a5a03ddf9d8b0a/nO/laptop-it-sicherheit.jpg
The Bundeswehr actively calls on IT security researchers to report
weaknesses in their IT systems.
(c) Bundeswehr / Stefan Uj

First of all, I can say that most of the feedback from professionals,
other authorities and companies is positive. But of course there was
also criticism. We are also very happy to accept constructive criticism.
For example, the lack of financial incentives was criticized by many.
Here, however, surprisingly for us, our guidelines for action were
confused with a bug bounty, even by specialist media and experts, which
we have expressly not advertised.

We do not shy away from the controversial discourse with the public.

Even before the Bundeswehr's VDPBwVulnerability Disclosure Policy was
published, we took findings on vulnerability reports from IT security
researchers, such as @secuninj, @ meme82 or the @vuln_lab, very
seriously. There has already been a constructive and good cooperation in
this area in the past. There were also discussions with Dr. Sven Herpig
from the New Responsibility Foundation or Manuel Atug from the AG
KRITISKritische Infrastrukturen are helpful. This communication is very
important. It leads to transparency and a better mutual understanding.

But some are already criticizing the fact that the Bundeswehr does not
comply with the law. In particular, it concerns § 303a StGB. Are you
bowing the right here?

Understandably, the development of such a guideline does not happen
overnight. Several lawyers from the Bundeswehr have checked our policy
for suitability and adjusted it. We were able to develop a practicable
solution for the Bundeswehr as an authority. In a nutshell, we allow IT
security researchers to look for weak points in our systems. This also
eliminates the criminal liability.

Legal classification:
"By granting the appropriate consent to reveal the weak points within
the framework of the Bundeswehr's Vulnerability Disclosure Policy, the
elements of the offense" unauthorized "(Sections 202 a ff. StGB) or"
unlawful "(Section 303 a StGB) can be excluded. According to §§ 202 a
ff. StGB, suitable crime objects are only data that are not intended for
the perpetrator, that is, should not be available to him at the time of
the crime according to the will of the authorized person; however, if
the entitled person makes such a determination, the objective factual
situation is excluded.
In the context of a possible criminal liability according to §303 a
StGB, the consent of the person entitled has the effect of excluding the
offense, i.e. here too there would be no criminal liability."

Does that mean the Bundeswehr can now be hacked without the risk of
punishment?

No, that's not exactly what it means. If the IT security researchers
adhere to the guidelines of the VDPBwVulnerability Disclosure Policy of
the German Armed Forces, then the reporters do not have to fear
forwarding the matter to the law enforcement authorities. The Bundeswehr
does not hold a "Capture the Flag" event here, where everyone can try
out something. The Bundeswehr's VDPBwVulnerability Disclosure Policy
provides the legal framework for an orderly professional vulnerability
reporting to the Bundeswehr by third parties. And so it continues to
apply that if the IT security researcher is pursuing recognizable
criminal or intelligence intentions, the German investigative
authorities can prosecute them. The Bundeswehr can, however, express its
intention not to report facts that are within the possibilities and
limits of our VDP.

It is also repeatedly criticized that no scope was specified. What do
you mean with that?

From our point of view, the defined framework, the scope and the IT
systems concerned are clearly evident from the guidelines of the
VDPBwVulnerability Disclosure Policy of the Bundeswehr. The Bundeswehr's
VDPBwVulnerability Disclosure Policy speaks of weaknesses in the
Bundeswehr's IT systems and web applications. These IT systems and web
applications mean all IT systems connected and accessible via the
Internet. These are primarily the websites of the Bundeswehr and the
associated departments. A look at the respective imprint of the
appearances should be enough to determine the affiliation with the
Bundeswehr. Understandably, however, a weapon system or access to
confidential IT systems should not be possible per se via the public
Internet. In addition, physical access is required, which is not
permitted according to our policy. The general rule for IT security
researchers is to approach it with professional skills so that no damage
is caused. Excluded from the reports and remain punishable, as stated in
the Bundeswehr's VDPBwVulnerability Disclosure Policy, “non-qualified
vulnerabilities”.

Last but not least: One of the main criticisms that you have already
mentioned was and is the lack of bounty. Why is it "only" thanked with
an entry on the thank you page?

The Bundeswehr's VDPBwVulnerability Disclosure Policy is a Bundeswehr
guideline for reporting vulnerabilities from third parties and not a bug
bounty. We do not rely on financial incentives, but on the voluntary
commitment of security researchers, and with success. I would like to
express my thanks to all security researchers who have supported us so
far and in the future.

Mr. General, from your point of view, the Bundeswehr's
VDPBwVulnerability Disclosure Policy is a successful tool for making the
Bundeswehr's IT systems more secure. However, you will probably not rely
on that alone.

https://www.bundeswehr.de/resource/image/4842754/landscape_ratio16x9/800/450/1c3ddd75c55486e69ef933cb35ba2e94/Sm/bild-incident-response.jpg
The professionals at the Bundeswehr Cyber Security Center protect the
Bundeswehr's IT systems from attacks by setting up firewalls and
constantly monitoring the IT networks.
(c) Bundeswehr / Johann Flaum

Of course not. The application of the Bundeswehr's Vulnerability
Disclosure Policy is a very good and already successful addition.
However, it is only one pillar in addition to our own investigations in
order to obtain information on unknown vulnerabilities and security gaps
in our systems. To check the effectiveness of the technical and
organizational measures, we rely on safety inspections and audits. We
also continue to use weak point analyzes, penetration testing and red
teaming in a targeted manner. Only with this holistic approach will we
be able to make our IT systems more secure.

[by KdoCIR]

Reference:
https://www.bundeswehr.de/de/organisation/cyber-und-informationsraum/aktuelles/ueber-50-gemeldete-schwachstellen-ein-erstes-fazit-zur-vdpbw-4838328


Note:
The german original article has been translated from a public site of
the bundeswehr (bundeswehr.de) to an independent english version to
inform the international whitehat scene and public international
security business.
In case of questions, please directly request the press office of the
bundeswehr.


Reference: [Translation (EN)]
https://paste.0xfc.de/?e9c928a8dafe3a42#9sBA3FybSFWNqoHFgrmNEACi8Df54y1Kqxc6NVB76oi1


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/