The Indian Computer Emergency Response Team (CERT-In) has raised concerns about vulnerabilities in two government applications, which could potentially allow hackers to take control of the systems.
Ironically, these two apps, USB Pratirodh and AppSamvid 2.0.1, are designed for cybersecurity purposes. Both applications have been developed by the IT Ministry’s Centre for Development and Advanced Computing (C-DAC).
This comes at a time when several Indian government websites, email ids, databases, and overall digital infrastructure are being routinely targeted by threat actors, either in a bid to steal sensitive information, or sell such stolen databases on the dark web for a hefty fee.
“Multiple vulnerabilities have been reported in AppSamvid software which could allow a local authenticated attacker to take control of the application or execute code on the targeted system,” CERT-In’s vulnerability note from March 4 said. The CERT-In’s alert for USB Pratirodh was also similar.
While USB Pratirodh controls the usage of pen drives, external hard drives and allows only authenticated users to access removable storage media, AppSamvid is an application that allows only “whitelisted” software to run on an operating system.
The nodal cybersecurity agency which functions under the IT Ministry also pointed out that the vulnerability in AppSamvid existed due to usage of “weaker cryptographic algorithm” in user login section.
“An attacker with local administrative privileges could exploit this to obtain the password of AppSamvid on the targeted system. Successful exploitation of this vulnerability could allow an attacker to take complete control of the application on the targeted system,” CERT-In said.
USB Pratirodh too has been found to be using a weak cryptographic algorithm, CERT-In said. A hacker could have exploited this vulnerability to obtain the password of USB Pratirodh on a targeted system. “Successful exploitation of this vulnerability could allow the attacker to take control of the application and modify the access control of registered users or devices on the targeted system,” it added