CVE-2019-20455

On 2019-03-28, Global Payments issued a commit to their SDK that introduced a vulnerability allowing man-in-the-middle attacks due to SSL integrity checking being explicitly disabled. The result of this change allowed all communications between merchants and GlobalPay to be intercepted and unencrypted. Any Merchant using a version of the SDK released between 2017-08-31 to 2019-12-10 were vulnerable to this issue.

Git Blame: https://github.com/globalpayments/php-sdk/commit/7c5910817c7f44f6a687b6e7f68343c35ed23c64

Correction: The original version of this article indicated the vulnerable versions between 2019-03-28 and 2019-12-10, however, upon further investigation and community feedback, it appears this issue was introduced numerous times. The first commit (https://github.com/globalpayments/php-sdk/commit/a2f01f4113aae11a915613f555ee8a4762f8e299#diff-75598bd8eda8749a6e7077c2692fee50R80-R81) introduced this, and the fix was implemented for less than two days before being removed in another commit.

First Fix: https://github.com/globalpayments/php-sdk/commit/c86e18f28c5eba0d6ede7d557756d978ea83d3c9#diff-75598bd8eda8749a6e7077c2692fee50

Immediate Removal: https://github.com/globalpayments/php-sdk/commit/7c5910817c7f44f6a687b6e7f68343c35ed23c64

Information Exposed

The following information is exposed over the wire in XML format, with example payloads included below:

Full Name Customer ID Customer Type (Retail, Subscriber) Title (Mr|Ms|Mrs) Company Name Date of Birth Password Address City State or Province Country Postal or Zip Code Phone Numbers (Home, Work, Fax, Mobile) Email Address

Sample payload we’ve observed during vulnerability testing:

<customer> <customerid>1234</customerid> <firstname>Bob</firstname> <lastname>Smith</lastname> <dateofbirth>2019-01-01</dateofbirth> <customerpassword>mys3cr3tpassw0rd?</customerpassword> <email></email> <domainname></domainname> <devicefingerprint></devicefingerprint> <phonenumber>15555555555</phonenumber> </customer>

Payment Information Exposure

In addition to personal information disclosure, two unique payloads were observed detailing the credit or debit card information, including the 3 security digits on the back of the card. Included below are sample payloads observed across the wire during testing:

<card> <ref>1234</ref> <payerref>CUSTOMER_KEY</payerref> <number>5152555555555555</number> <expdate>0122</expdate> <chname>BOB SMITH</chname> <type>MASTERCARD</type> </card>

<card> <number>5152555555555555</number> <expdate>0122</expdate> <chname>BOB SMITH</chname> <type>MASTERCARD</type> <cvn> <number>123</number> <presind>1</presind> </cvn> </card>

Disclosure

Disclosing this vulnerability was not as easy. There was no security email address and all attempts had bounced. After numerous attempts and third-party disclosure assistance, on Tuesday, November 26th, 2019 initial contact was made from Global Payments.

As of December 10th, 2019, the vulnerability has been patched in the upstream repository. The commit can be found here: https://github.com/globalpayments/php-sdk/commit/a73f8039b213ce6888df1f12e93fc3264d920f2e

Timeline

2019-07-10: Initial Discovery

2019-11-26: Initial contact from VP of Information Security, Phone Call.

2019-11-26: Email sent disclosing origin of vulnerability, payloads and information.

2019-11-27: VP acknowledges information receipt.

2019-11-27: VP requests call for 1:00 PM EST with security team located in UK, call is accepted.

2019-11-27: Information pertaining to the exact two lines in the public repository are sent to VP of Information Security showing where vulnerability is.

2019-11-27: VP of Information Security acknowledges and indicates they will pass this on to security team for further analysis.

2019-12-07: VP indicates changes are being made and will advise when fix has been made available

2019-12-11: Notification that changes were made and vulnerability has been patched.