As part of the “Code Analysis of Open Source Software” (CAOS) project of the German Federal Office for Information Security (BSI), the program code of common open source projects was examined for vulnerabilities. Security experts from mgm were allowed to support the BSI in this. The aim of the investigations were two video conferencing systems and two eID templates, which are intended to help increase the security of open source software with the help of vulnerability analysis. The results of the CAOS project were published in summer 2023.
Short & concise
- BSI and mgm investigate vulnerabilities and risks in open source applications in the CAOS project.
- Two video conferencing systems and eID templates were tested.
- All security vulnerabilities found were reported to the development teams and promptly fixed by them.
The strength of open source software (OSS) lies in the theoretically infinite number of software developers who add and improve functions and increase security. A coordinated, concentrated and documented approach is particularly important in the area of security. In particular, software that is increasingly used in public authorities and in society should be regularly checked for security vulnerabilities. In most cases, cyber attacks can be traced back to errors in the program code of the affected applications.
This is why the German Federal Office for Information Security (BSI) launched the “Code Analysis of Open Source Software” (CAOS) project in 2021. The aim is to identify and eliminate common vulnerabilities and risks in applications. The project also aims to support developers in creating secure software applications and increase trust in open source software. Static code analysis with accompanying dynamic analysis will be used as research methods. According to the Federal Office for Information Security, the central objective of the project is: “The code analysis is intended to strengthen confidence in the security properties of the product and dispel any doubts about the correctness of the functional descriptions.” Two video conferencing systems and two eID templates were examined.
Focus on video conferencing tools Jitsi and BigBlueButton
The two open source video conferencing tools Jitsi and BigBlueButton were subjected to a comprehensive security audit. This involved a combination of source code reviews, dynamic analyses and interface analyses in the areas of network interfaces, protocols and standards. The test was carried out using the whitebox method.
While no critical vulnerabilities were found in Jitsi, BigBlueButton had two vulnerabilities classified as critical. These related to stored cross-site scripting, which allows JavaScript payloads to be inserted via the user name. Two Common Vulnerability Enumerations (CVE) were found: CVE-2022-26497 and CVE-2022-27238. Both vulnerabilities were disclosed to developers prior to release as part of the “Responsible Disclosure” and have been fixed in newer versions of the open source tools.
In addition, the application uses 75 dependencies in BigBlueButton from other open source code with high or critical security vulnerabilities. Jitsi had 31 dependencies. In both projects, there was evidence of code that indicated “bad practice” that should have been detected by a software-based quality check. The report therefore concludes that it is highly unlikely that such an audit was carried out by either open source team.
The investigation was already carried out between February 1 and April 25, 2022.
Security gaps successfully closed
The vulnerabilities and anomalies found were reported directly to the development teams by the BSI as part of a responsible disclosure procedure, and all vulnerabilities were fixed directly (even in newer versions). The procedure allows developers a reasonable period of time to fix vulnerabilities before they are published. The results, which were published in summer 2023, are a combination of source code review, dynamic analysis and interface analysis in the areas of network interfaces, protocols and standards.
Further code analyses are planned in order to increase the security of open source software in the future. The project will be continued under the name CAOS 2.0.
Electronic identities (eID) put to the test
To enable citizens to use the online function of the ID card, service providers must integrate their services into the electronic identity (eID) infrastructure. eID templates are intended to make authentication for WordPress or Nextcloud installations secure and are part of the planned introduction of the “eID card”.
Two eID login plug-ins were examined as part of the CAOS project: eid-login-wordpress and eid-login-nextcloud. Both applications were subjected to a static source code analysis with accompanying dynamic analysis. Here too, the investigation was carried out using the whitebox method and revealed that neither plugin had any serious security vulnerabilities.
In general, it can be said that the eID logins involve experienced developers who attach great importance to security. It can be seen that various security tools have already been used for both plugins in the past.
The analyses took place in the period from 04.04.2022 to 25.05.2022.
Further information:
BSI project report: Codeanalyse von Open Source Software (Projekt CAOS) (german only)
BSI press release: BSI will Sicherheit von Open-Source-Software erhöhen (german only)
