Remediata’s research team identified a critical severity vulnerability within the YMS VIS Pro version 3.3.0.6, a pivotal application utilised by the State Veterinary and Food Administration of the Slovak Republic (SVFA). This critical vulnerability (CVSS 9.8) opens the door to trivial brute-force attacks, posing a significant risk of unauthorised access to sensitive data.
Overview
YMS VIS Pro plays a crucial role in the operations of the State Veterinary and Food Administration of the Slovak Republic (SVFA), facilitating tasks such as veterinary management, food quality administration, farm management, invoice processing and more.
Remediata reported that the application adopts a uniform approach wherein 4-6 digit combination serves as both the username and password. Our research confirmed that this standardised practice is consistent across a user base exceeding 2000 individual user accounts.
Additionally, it’s noteworthy that the 4-6 digit combination serves as the actual veterinary licence identifier, which is publicly available information in most cases, amplifying the security risks associated with the improper authentication in YMS VIS Pro application.
This practice not only undermines the system’s security but also renders it susceptible to brute force attacks, allowing unauthorised access with relative ease (CVE-2024-3263).
Mitigation
The identified vulnerability has been effectively addressed through the implementation of robust measures, including significant changes in authentication mechanisms and the introduction of an additional layer of authentication. Moreover, stringent password policies have been put into place to bolster security measures further. These proactive steps have collectively contributed to the mitigation of the vulnerability across all affected versions, including 3.3.0.6 and earlier verions of YMS VIS Pro.
Timeline
- 2024-02-25 – Vulnerability reported to SK-CERT
- 2024-02-26 – Developer and system operator notified by SK-CERT
- 2024-02-27 – Vulnerability confirmed by system operator
- 2024-04-17 – Developer and system operator confirmed vulnerability fix
Summary
At Remediata, our mission is twofold: to serve our clients and contribute to the safer cyber space through both our services and nonprofit research initiatives. We recognise the paramount importance of cybersecurity, particularly in Internet facing applications and infrastructure.
Lastly, we would like to thank the State Veterinary and Food Administration of the Slovak Republic (SVFA) for their prompt and decisive actions in remedying the identified issues. Furthermore, we extend our appreciation to SK-CERT for their invaluable role in facilitating communication between Remediata and SVFA, thereby enhancing the efficiency and efficacy of the resolution process.
