Department: Bundeswehr - CIR Title: Over 50 reported weaknesses - a first conclusion on the VDPBwVulnerability Disclosure Policy of the Bundeswehr
--- Date: 2020-12-03 Location: Bonn (Germany) Reading Time: 5 min --- Over 50 reported weaknesses - a first conclusion on the VDPBwVulnerability Disclosure Policy of the Bundeswehr At the end of October, the Bundeswehr called on IT security researchers to actively inform the Bundeswehr of weak points in their IT systems - with success. After seven weeks, the Chief Information Security Officer of the German Armed Forces (CISOBwChief Information Security Officer), Major General Jürgen Setzer, draws an initial positive conclusion. Picture: https://www.bundeswehr.de/resource/image/4842446/landscape_ratio16x9/800/450/3d229851c128e18c92868b2b4d071a0/Ne/ciso-juergen-setzer-erklaert-den-soldaten-was.jpg With the Chief Information Security Officer of the Bundeswehr, Major General Jürgen Setzer, there is overall responsibility for cyber security in the Bundeswehr. (c) Bundeswehr / Martina Pump General, around seven weeks have now passed since the Bundeswehr's Vulnerability Disclosure Policy was launched. What is your first conclusion? On October 22nd, we launched the Bundeswehr's Vulnerability Disclosure Policy (VDPBwVulnerability Disclosure Policy of the Bundeswehr) and called on us to actively point out weaknesses in the Bundeswehr's IT systems. Since then, over 20 IT security researchers have participated and submitted numerous reports regarding possible vulnerabilities. We initially assessed these reports to determine whether they were any weaknesses within the meaning of the Bundeswehr's VDPBwVulnerability Disclosure Policy. If this is the case, we will act immediately. We have already fixed some weaknesses, others, more complex ones, are still being worked on. Our big thanks and respect go to all IT security researchers who contribute to making the IT systems of the Bundeswehr more secure. We show this publicly with the individual entry and the attribution on our thank you page. Can you tell us which weak points in the Bundeswehr IT information technology are involved here? Yes, the majority of these are cross-site scripting weaknesses and configuration errors in our websites in the Bundeswehr. But the IT security researchers also showed us SQL injections and remote code execution options. With the help of the reporters and their detailed documentation, we have already been able to close them. When it comes to breaking new ground, there is certainly also criticism of the path taken. What does it look like? https://www.bundeswehr.de/resource/image/4842442/landscape_ratio16x9/800/450/ad8225d86ba5d50462a5a03ddf9d8b0a/nO/laptop-it-sicherheit.jpg The Bundeswehr actively calls on IT security researchers to report weaknesses in their IT systems. (c) Bundeswehr / Stefan Uj First of all, I can say that most of the feedback from professionals, other authorities and companies is positive. But of course there was also criticism. We are also very happy to accept constructive criticism. For example, the lack of financial incentives was criticized by many. Here, however, surprisingly for us, our guidelines for action were confused with a bug bounty, even by specialist media and experts, which we have expressly not advertised. We do not shy away from the controversial discourse with the public. Even before the Bundeswehr's VDPBwVulnerability Disclosure Policy was published, we took findings on vulnerability reports from IT security researchers, such as @secuninj, @ meme82 or the @vuln_lab, very seriously. There has already been a constructive and good cooperation in this area in the past. There were also discussions with Dr. Sven Herpig from the New Responsibility Foundation or Manuel Atug from the AG KRITISKritische Infrastrukturen are helpful. This communication is very important. It leads to transparency and a better mutual understanding. But some are already criticizing the fact that the Bundeswehr does not comply with the law. In particular, it concerns § 303a StGB. Are you bowing the right here? Understandably, the development of such a guideline does not happen overnight. Several lawyers from the Bundeswehr have checked our policy for suitability and adjusted it. We were able to develop a practicable solution for the Bundeswehr as an authority. In a nutshell, we allow IT security researchers to look for weak points in our systems. This also eliminates the criminal liability. Legal classification: "By granting the appropriate consent to reveal the weak points within the framework of the Bundeswehr's Vulnerability Disclosure Policy, the elements of the offense" unauthorized "(Sections 202 a ff. StGB) or" unlawful "(Section 303 a StGB) can be excluded. According to §§ 202 a ff. StGB, suitable crime objects are only data that are not intended for the perpetrator, that is, should not be available to him at the time of the crime according to the will of the authorized person; however, if the entitled person makes such a determination, the objective factual situation is excluded. In the context of a possible criminal liability according to §303 a StGB, the consent of the person entitled has the effect of excluding the offense, i.e. here too there would be no criminal liability." Does that mean the Bundeswehr can now be hacked without the risk of punishment? No, that's not exactly what it means. If the IT security researchers adhere to the guidelines of the VDPBwVulnerability Disclosure Policy of the German Armed Forces, then the reporters do not have to fear forwarding the matter to the law enforcement authorities. The Bundeswehr does not hold a "Capture the Flag" event here, where everyone can try out something. The Bundeswehr's VDPBwVulnerability Disclosure Policy provides the legal framework for an orderly professional vulnerability reporting to the Bundeswehr by third parties. And so it continues to apply that if the IT security researcher is pursuing recognizable criminal or intelligence intentions, the German investigative authorities can prosecute them. The Bundeswehr can, however, express its intention not to report facts that are within the possibilities and limits of our VDP. It is also repeatedly criticized that no scope was specified. What do you mean with that? From our point of view, the defined framework, the scope and the IT systems concerned are clearly evident from the guidelines of the VDPBwVulnerability Disclosure Policy of the Bundeswehr. The Bundeswehr's VDPBwVulnerability Disclosure Policy speaks of weaknesses in the Bundeswehr's IT systems and web applications. These IT systems and web applications mean all IT systems connected and accessible via the Internet. These are primarily the websites of the Bundeswehr and the associated departments. A look at the respective imprint of the appearances should be enough to determine the affiliation with the Bundeswehr. Understandably, however, a weapon system or access to confidential IT systems should not be possible per se via the public Internet. In addition, physical access is required, which is not permitted according to our policy. The general rule for IT security researchers is to approach it with professional skills so that no damage is caused. Excluded from the reports and remain punishable, as stated in the Bundeswehr's VDPBwVulnerability Disclosure Policy, “non-qualified vulnerabilities”. Last but not least: One of the main criticisms that you have already mentioned was and is the lack of bounty. Why is it "only" thanked with an entry on the thank you page? The Bundeswehr's VDPBwVulnerability Disclosure Policy is a Bundeswehr guideline for reporting vulnerabilities from third parties and not a bug bounty. We do not rely on financial incentives, but on the voluntary commitment of security researchers, and with success. I would like to express my thanks to all security researchers who have supported us so far and in the future. Mr. General, from your point of view, the Bundeswehr's VDPBwVulnerability Disclosure Policy is a successful tool for making the Bundeswehr's IT systems more secure. However, you will probably not rely on that alone. https://www.bundeswehr.de/resource/image/4842754/landscape_ratio16x9/800/450/1c3ddd75c55486e69ef933cb35ba2e94/Sm/bild-incident-response.jpg The professionals at the Bundeswehr Cyber Security Center protect the Bundeswehr's IT systems from attacks by setting up firewalls and constantly monitoring the IT networks. (c) Bundeswehr / Johann Flaum Of course not. The application of the Bundeswehr's Vulnerability Disclosure Policy is a very good and already successful addition. However, it is only one pillar in addition to our own investigations in order to obtain information on unknown vulnerabilities and security gaps in our systems. To check the effectiveness of the technical and organizational measures, we rely on safety inspections and audits. We also continue to use weak point analyzes, penetration testing and red teaming in a targeted manner. Only with this holistic approach will we be able to make our IT systems more secure. [by KdoCIR] Reference: https://www.bundeswehr.de/de/organisation/cyber-und-informationsraum/aktuelles/ueber-50-gemeldete-schwachstellen-ein-erstes-fazit-zur-vdpbw-4838328 Note: The german original article has been translated from a public site of the bundeswehr (bundeswehr.de) to an independent english version to inform the international whitehat scene and public international security business. In case of questions, please directly request the press office of the bundeswehr. Reference: [Translation (EN)] https://paste.0xfc.de/?e9c928a8dafe3a42#9sBA3FybSFWNqoHFgrmNEACi8Df54y1Kqxc6NVB76oi1 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
