Security News > 2020 > November > German COVID-19 Contact-Tracing Vulnerability Allowed RCE
A security vulnerability in the infrastructure underlying Germany's official COVID-19 contact-tracing app, called the Corona-Warn-App, would have allowed pre-authenticated remote code execution.
Researcher Alvaro Muñoz wrote in a report this week that he and his team at GitHub Security Lab was chasing down RCE vulnerabilities on the platform and found one in the infrastructure supporting CWA for Android and OS. The team said it worked with SAP to mitigate the issue, adding as a server-side issue, the mobile apps themselves were not impacted, and that no data was collected beyond a device's IP address.
"There appeared to be a pre-authentication RCE vulnerability in Corona-Warn-App Server, which drives Germany's COVID-19 contact-tracing application infrastructure," according to Muñoz.
"The app informs us if we have had contact with a person diagnosed with COVID-19," according to the CWA site.
In Sept., the nonprofit Electronic Frontier Foundation warned about the possible implications of contact tracing apps to be used to stifle free speech protections, specifically calling out California's lack of privacy considerations in developing a tracing app for the state.
News URL
https://threatpost.com/german-covid-19-contact-tracing-vulnerability-rce/161419/
Related news
- Palo Alto Networks warns of potential PAN-OS RCE vulnerability (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks (source)