Researchers have discovered critical vulnerabilities in the "OSCI-Transport" communication library, which plays an important role in the German e-government, reports SEC Consult.
The OSCI-transport protocol is the required communication protocol for public admins and foundation for e-government. It serves as a secure channel for government agencies to communicate across areas like population registration, justice system, and public health system. Attackers should not be able to view or interfere with messages.
Experts broke some of the security safeguards OSCI claims to have. They demonstrated how a hacker could use an external XML Entity Injection attack, which would let him or her read local files on communication partners' systems. Someone who accessed the communication channel could also decrypt parts of a message and, in some cases, potentially forge messages.
SEC Consult notes that a full security audit has not been performed, and there is a possibility further vulnerabilities exist.
Read more details here.