(108/9/9) Reporting High Risk CVE in SWIFT Alliance Web Platform that Enables Log Injection

    CHT Security’s red team discovered a high risk log injection vulnerability(CVE-2018-16386) in SWIFT Alliance Web Platform when performing Financial Service System Security Assessment last year. SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a global transaction data exchange system for financial services that more than 11,000 banks and securities dealers in more than 200 countries are using. SWIFT is one important target for hackers. Over the past three years, many banks, including Taiwan, have lost more than 2.5 billion TWD due to the hacking of SWIFT related systems. This vulnerability does not require login for log injection and the CVSS v3.0 risk score is 7.5 High. The details are described as follows:

CVE-2018-16386：Our white hat hacker discovered a log injection vulnerability in SWIFT Alliance Web Platform 7.1.23. An attacker can abuse the system's error log function to write arbitrary content to any log file. When combined with other file inclusion vulnerability, it is possible to achieve command injection.

For example: an attacker can write exploitation command into the log, and then load the log content to achieve command injection attack. Once successfully attacked, the attacker will have full control of the victim host.

The vendor has released related updates as soon as possible after receiving the reporting. Since the SWIFT system is highly sensitive, the vulnerability was not publicly released until this year even though it was reported last year. It is recommended that financial institutions or enterprises that are still using SWIFT prior to version 7.1.23 (inclusive), contact the vendor for system updates as soon as possible.

If you cannot update immediately, we recommend the following mitigations：

1. Regularly check the content of logs if any unexpected information is written.
2. Ensure permission checking for access to any function in software implementation. Deny the access without proper privilege.
3. Developers shall introduce whitelisting or regular expression for parameter check and avoid injection of malicious input. It is recommended that enterprises should adopt Secure Software Development Life Cycle(SSDLC), provide secure coding training, and regularly conduct security tests, such as Source Code Security Analysis and Penetration Testing, to ensure the effectiveness of enterprise cybersecurity.