During a pentest last year I found an issue which affected the Windows installation product packages for the following products from Utimaco

SecurityServer 3.x, 4.x up to version 4.31.1
PaymentServer 3.x, 4.x up to version 4.33.0
PaymentServer Hybrid 3.x, 4.x up to version 4.33.0
Block-safe 2.0.0, 3.0.0
CryptoServer CP5,, incl. CryptoServer CP5 Supporting CD and CryptoServer CP5 SDK CD
CryptoServer CP5 VS-NfD
CryptoServer SDK 3.x, 4.x up to version 4.31.1

The issue related to weak folder permissions which allowed for an escalation of privileges

The HSM Firmware was not affected by this issue.

Utimaco were very responsive when I reported this to them and kept me informed throughout their remediation process.

A security advisory document was produced for their clients which can be viewed using the Download button below.

Leave a Reply

Your email address will not be published. Required fields are marked *