CVE Vulnerabilities

CVE-2024-23674

Authentication Bypass by Spoofing

Published: Feb 15, 2024 | Modified: Nov 06, 2024
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

The Online-Ausweis-Funktion eID scheme in the German National Identity card through 2024-02-15 allows authentication bypass by spoofing. A man-in-the-middle attacker can assume a victims identify for access to government, medical, and financial resources, and can also extract personal data from the card, aka the sPACE (Spoofing Password Authenticated Connection Establishment) issue. This occurs because of a combination of factors, such as insecure PIN entry (for basic readers) and eid:// deeplinking. The victim must be using a modified eID kernel, which may occur if the victim is tricked into installing a fake version of an official app. NOTE: the BSI position is ensuring a secure operational environment at the client side is an obligation of the ID card owner.

Weakness

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

References