Security Advisory: Outdated and vulnerable OpenSource libraries used in "Deutsche Telekom" home banking software

[EN] securityvulns.ru
no-pyccku

Related information
  Deutsche Telekom banking software multiple security vulnerabilities

From: Stefan Kanthak <stefan.kanthak_(at)_nexgo.de>
Date: 19.11.2008
Subject: Outdated and vulnerable OpenSource libraries used in "Deutsche Telekom" home banking software

The "Deutsche Telekom" resp. their "T-Online" branch offer their
own home banking software for Windows under
<ftp://software.t-online.de/pub/service/banking/banking70.exe>
The current release is version 7.00.0004 from 2008-03-17.

This software is but insecure; it installs and uses:

- the libraries LIBEAY32.DLL and SSLEAY32.DLL of the completely
outdated, unsupported and vulnerable OpenSSL 0.9.6g from
2002-08-19 (see <http://www.openssl.org/news/>);

- the library LIBCURL.DLL of the outdated, unsupported and
vulnerable cURL 7.14.1 from 2005-09-05 (see
<http://curl.haxx.se/libcurl/>);

- the libraries xerces-c_2_6.dll and xerces-depdom_2_6.dll of
the outdated and unsupported Xerces 2.6 (see
<http://xerces.apache.org/xerces-c/releases.html> as well as
<http://xerces.apache.org/xerces-c/releases_archive.html>);

- the library CM32L7.DLL of vendor "combit GmbH" which has been
built with a completely outdated, unsupported and vulnerable
ZLIB (see <http://zlib.net/>);

- an SSL certifikate container CAcerts.pem with an expired
certificate (Validity: not after "Feb 23 23:59:00 2006 GMT");
Two other certificates will expire next week, and another two
more in three weeks.

To put the icing on the cake:

- the software installs without any error message on Windows 2000,
although it needs Windows XP or Windows Vista to run (see
<http://service.t-online.de/c/12/70/32/44/12703244.html>), and
fails to start with error message "Library UXTHEME.DLL missing"
after successful installation.

The vendor has been informed via its own hotline, its own CERT, its
press spokesman for security (the "Deutsche Telekom" is member of
the german initiative "Sicher im Netz", see
<https://www.sicher-im-netz.de/wir_ueber_uns/146.aspx>) and its
security officer, both per mail and phone (where available).

Response(s): NONE
Reaction(s): NONE

Stefan Kanthak

PS: <http://service.t-online.de/c/12/70/85/92/12708592.html>
   states that this software has been evaluated by TUeV Saarland and
   got their label "TUeV Saarland: Gepruefte Home-Banking Software".
   Whatever they checked: it wasn't the security of this software!