U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-23674

Change History

New CVE Received by NIST 2/15/2024 6:15:08 PM

Action Type Old Value New Value
Added Description

								
							
							
						
The Online-Ausweis-Funktion eID scheme in the German National Identity card through 2024-02-15 allows authentication bypass by spoofing. A man-in-the-middle attacker can assume a victim's identify for access to government, medical, and financial resources, and can also extract personal data from the card, aka the "sPACE (Spoofing Password Authenticated Connection Establishment)" issue. This occurs because of a combination of factors, such as insecure PIN entry (for basic readers) and eid:// deeplinking. The victim must be using a modified eID kernel, which may occur if the victim is tricked into installing a fake version of an official app. NOTE: the BSI position is "ensuring a secure operational environment at the client side is an obligation of the ID card owner."
Added Reference

								
							
							
						
MITRE https://ctrlalt.medium.com/space-attack-spoofing-eids-password-authenticated-connection-establishment-11561e5657b1 [No types assigned]
Added Reference

								
							
							
						
MITRE https://www.ausweisapp.bund.de/ [No types assigned]
Added Reference

								
							
							
						
MITRE https://www.dropbox.com/scl/fi/2powlii0dnmr7p7v5ijhc/2024_German_eID_02_Spoofing_PACE_final.pdf?rlkey=nx0ffmmbq3hffgxsuqwf0f45z&dl=0 [No types assigned]
Added Reference

								
							
							
						
MITRE https://www.personalausweisportal.de/ [No types assigned]