External risk intelligence

Attacker can steal customer payment data and change transaction amounts

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2020-37168

An issue in Ecommerce Systempay allows attackers to guess your secret key and steal payment data, potentially changing transaction amounts. This public-facing system needs immediate attention to protect finances.

5Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2020-37168

The vulnerability affects a payment processing endpoint in an ecommerce application. By design, these endpoints are public-facing internet services required to accept transaction data from customers, making them reachable from the internet in all standard deployments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in an ecommerce system allows attackers to guess the production secret key used to secure payment transactions. By obtaining this key, an attacker could potentially alter transaction amounts or create fraudulent payments.

  • Payment data can be compromised.
  • Transaction integrity is at risk.
  • The system is reachable from the internet.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by intercepting payment requests sent to the Ecommerce Systempay payment endpoint. They would then repeatedly attempt to guess the 16-character production secret key used for signature generation by comparing SHA1 hashes until they find the correct one. This would allow them to forge valid payment signatures, altering transaction amounts to their benefit.

  • Publicly accessible endpoint.
  • Intercepting POST requests.
  • Brute-forcing production secret key.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for brute-forcing a production secret key, which could enable attackers to forge payment signatures and manipulate transactions. The direct impact on financial data makes it a prime target for financially motivated adversaries.

  • Exploit code available publicly.
  • The vulnerability affects payment processing.
  • It has been referenced by exploit databases.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediately blocking any traffic attempting to brute-force payment signature keys to prevent financial fraud. Teams should focus on identifying systems processing payments and assessing the exposure of the production secret key. If the key is compromised or cannot be secured quickly, consider temporarily disabling payment processing.

  • Harden secret key generation and storage.
  • Monitor for suspicious transaction patterns.
  • Implement rate limiting on payment endpoints.

Frequently asked questions

What is Ecommerce Systempay and how does it handle payments?

Ecommerce Systempay is a component used in online stores to process customer payments. It secures transactions by generating signatures for payment data, ensuring the integrity of financial exchanges.

How does CVE-2020-37168 enable attackers to compromise payment integrity?

This vulnerability, a weak cryptographic implementation (CWE-328), allows attackers to guess the secret key for payment signatures. By repeatedly testing potential keys, they can forge valid signatures and alter transaction amounts.

What is the exploitation path for CVE-2020-37168?

Attackers intercept POST requests to the payment endpoint, extract payment data and signatures, and then use SHA1 hash comparison to iteratively guess the 16-character production secret key.

What makes CVE-2020-37168 a very likely threat for payment systems?

The vulnerability affects a public-facing payment processing endpoint, making it directly reachable from the internet. This accessibility allows for the potential interception of payment requests and subsequent brute-force attacks on the secret key.

What practical steps should be taken to address CVE-2020-37168?

Harden the generation and storage of secret keys, monitor for suspicious transaction patterns, and implement rate limiting on payment endpoints. Consider disabling payment processing temporarily if the production key cannot be secured quickly.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished