Advisory: Session ID Disclosure in UC eBanking Prime

NSIDE ATTACK LOGIC discovered multiple vulnerabilities that may allow
attackers to gain unauthorized access to the eBanking web interface, granting
access to sensitive data such as account statements. The vulnerability described
in this advisory is the disclosure of session IDs via a WebSocket connection.


Details
=======

Affected Product: UC eBanking Prime
Affected Versions: confirmed with 6.1.0 and 6.2.0 <= 6.2.0.3
Vulnerability Types: Sensitive Data Disclosure
Security Risk: HIGH
Vendor Status: FIXED
Fixed Version: 6.2.0.3
Advisory Status: PUBLISHED 
Advisory URL: https://www.nsideattacklogic.de/advisories/NSIDE-SA-2025-002
Advisory URL (text only): https://www.nsideattacklogic.de/advisories/NSIDE-SA-2025-002.txt
CVE ID: pending


Introduction
============

UC eBanking Prime[1] is an on-premise electronic banking solution for business
clients of HypoVereinsbank/UniCredit. It consists of a web application hosted in
the client's intranet and a desktop application used for authentication called
OTC Client.


Description
===========

UC eBanking Prime uses the messaging protocol STOMP[2] over WebSockets to
asynchronously exchange messages between the Prime server and the OTC Client
desktop application. This mechanism is used for notifications, for example about
logon and logoff events. 

In order to receive notifications for a certain user, the desktop application
connects to the HTTP(S) endpoint `/signatureClient/otc`, providing the user's
12-character user ID in the HTTP header "UID". It then subscribes to the STOMP
topic `/user/topic`. 

Once a user authenticates to the web application, a "login success" message is
broadcasted to subscribed clients. The message contains a STOMP header called
"sessionId" which contains the value of the JSESSIONID cookie for the associated
web session.


Risk 
====

Attackers with knowledge of a user ID and network access to the Prime server can
subscribe to that user's notifications. Once the user authenticates, the
associated JSESSIONID is broadcasted to all subscribers, including the attacker.
This grants the attacker an authenticated session and allows them to act on
behalf of the user. While most user IDs are randomly generated, they are not
treated as secrets. Additionally, the default administrator account has the user
ID 111-111-111-111.


Solution/Mitigation 
===================

The vendor fixed this vulnerability in version 6.2.0.3 by broadcasting the
SHA-256 hash value of the JSESSIONID instead. This is regarded as a solution for
this vulnerability, as there is no practical way to take over a session given
that information.

Affected users are therefore advised to update to version 6.2.0.3 or a more
recent one.


Disclosure timeline 
===================

2025-03-27: Vulnerability identified during an engagement
2025-04-07: NSIDE's client agrees to responsible disclosure process
2025-04-07: Vendor notified, requested secure communication channel
2025-04-07: Vendor demands report through client
2025-04-16: NSIDE submits report to vendor
2025-04-28: Asked vendor for update, vendor had not yet reviewed the report
2025-05-07: Asked vendor for update, vendor had not yet reviewed the report
2025-05-08: Vendor acknowledges report
2025-05-28: NSIDE informed vendor about publication deadline on July 17, 2025
2025-06-25: Vendor releases version 6.2.0.3 including the fix for this vulnerability
2025-12-15: Advisory and associated blog post[3] published by NSIDE


Contact/Credits 
===============

The vulnerability was discovered during an assessment by Jonas Lieb of NSIDE
ATTACK LOGIC GmbH.


References 
==========

[0] https://nsideattacklogic.de/
[1] https://www.hypovereinsbank.de/hvb/unternehmen/konto-zahlungsverkehr/ebanking-loesungen
[2] https://docs.spring.io/spring-framework/reference/web/websocket/stomp/overview.html
[3] https://www.nsideattacklogic.de/mehrere-schwachstellen-in-uc-ebanking-prime/


Disclaimer 
==========

The information in this security advisory is provided "as is" and without
warranty of any kind. Details of this security advisory may be updated in order
to provide as accurate information as possible. The most recent version of this
security advisory can be found at NSIDE ATTACK LOGIC GmbH's website
(https://www.nsideattacklogic.de/).