Vulnerability Description
The Online-Ausweis-Funktion eID scheme in the German National Identity card through 2024-02-15 allows authentication bypass by spoofing. A man-in-the-middle attacker can assume a victim's identify for access to government, medical, and financial resources, and can also extract personal data from the card, aka the "sPACE (Spoofing Password Authenticated Connection Establishment)" issue. This occurs because of a combination of factors, such as insecure PIN entry (for basic readers) and eid:// deeplinking. The victim must be using a modified eID kernel, which may occur if the victim is tricked into installing a fake version of an official app. NOTE: the BSI position is "ensuring a secure operational environment at the client side is an obligation of the ID card owner."
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://ctrlalt.medium.com/space-attack-spoofing-eids-password-authenticated-con
- https://www.ausweisapp.bund.de/
- https://www.dropbox.com/scl/fi/2powlii0dnmr7p7v5ijhc/2024_German_eID_02_Spoofing
- https://www.personalausweisportal.de/
- https://ctrlalt.medium.com/space-attack-spoofing-eids-password-authenticated-con
- https://www.ausweisapp.bund.de/
- https://www.dropbox.com/scl/fi/2powlii0dnmr7p7v5ijhc/2024_German_eID_02_Spoofing
- https://www.personalausweisportal.de/
FAQ
What is CVE-2024-23674?
CVE-2024-23674 is a vulnerability with a CVSS score of 9.6 (CRITICAL). The Online-Ausweis-Funktion eID scheme in the German National Identity card through 2024-02-15 allows authentication bypass by spoofing. A man-in-the-middle attacker can assume a victim's identify for...
How severe is CVE-2024-23674?
CVE-2024-23674 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-23674?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.