arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
PhilSys fixes Publicly Accessible Instances
4 min read

PhilSys fixes Publicly Accessible Instances

PhilSys fixes Publicly Accessible Instances

Background

On August 6, 2018, the Philippine President Rodrigo Roa Duterte signed the Republic Act No. 11055, otherwise known as the Philippine Identification System Act, which aims to establish a single national identification system for all citizens and resident aliens of the Republic of the Philippines.

As of November 20, 2020, the Philippine Statistics Authority (PSA) announced that 5,788,615 Filipinos have already completed Step 1 Registration of the Philippine Identification System (PhilSys). (Source)

The PSA is targeting 9 million Filipinos for Step 1 by the end of 2020.

Technical Findings

In this section I present my technical findings from my passive reconnaissance against PhilSys.

Please keep in mind that all results were obtained from public search engines.

philsys.gov.ph

The primary website/domain of PhilSys is https:/philsys.gov.ph/ and visiting the website will greet you with warning that the connection to the website is not private.

The warning is due to incorrect SSL certificate's common name. The SSL of philsys.gov.ph is pointing to another subdomain which is promis.philsys.gov.ph.

If you wish to proceed in accessing the website, the Apache2 Ubuntu's Default Page will be displayed.

To widen my scope, I enumerated the subdomains of the website using a public tool called crt.sh.

I also used another tool called Shodan to perform quick fingerprinting against PhilSys instances.

From these tools, I was able to find public instances of PhilSys. Next step is to visit each subdomains and check for interesting information.

sandbox.philsys.gov.ph

The MOSIP Sandbox is like the directory of instances running in PhilSys.

The web page contains the following:

  • Docker versions - This will redirect you to versions.txt file containing the information of Docker.
  • Pre-Registration - This will redirect you to MOSIP's Pre-registration page.
  • Admin - This will redirect you to MOSIP's admin page.
  • Registration Client Zip - Clicking this will download the source code of the registration client (https://sandbox.philsys.gov.ph/registration-client/1.1.2/reg-client.zip).
  • Keycloak - This will redirect you to https://sandbox.philsys.gov.ph/keycloak/auth/.
  • ActiveMQ - This will redirect you to https://sandbox.philsys.gov.ph/activemq/admin/
  • Minio - This will redirect you to https://sandbox.philsys.gov.ph/minio/
  • Grafana and Kibana

P.S. Some links were not working.

The core platform of PhilSys is the Modular Open Source Identity Platform (MOSIP) which is an open source project that helps governments implement digital ID systems, backed by the Bill and Melinda Gates Foundation.

Clicking the "Admin" hyperlink under the MOSIP Modules will lead us to PhilSys' MOSIP admin page which is publicly accessible. You don't need a credential to authenticate and access it. The good thing is it doesn't contain any information.

Clicking the "Kibana" hyperlink under Monitoring will lead us to PhilSys' Kibana which was also publicly accessible.

Kibana is an open-source data visualization and exploration tool used for log and time-series analytics, application monitoring, and operational intelligence use cases.

console.philsys.gov.ph

The console instance hosted another Kibana application and was also publicly accessible.

For this instance, I was able to grab some screenshots containing some information from their system which can be considered as sensitive.

Responsible Disclosure

The following documents my communications related to the disclosure of the issues I identified in this report.

  • November 26, 2020 - I reported my sandbox.philsys.gov.ph findings to PhilSys via someone who is working with them.
  • November 27, 2020 - I received an update that PhilSys will block/remove the publicly accessible instance.
  • December 10, 2020 - I noticed that another Kibana instance console.philsys.gov.ph was also publicly accessible and I reported it again.
  • December 11, 2020 - I received another update that PhilSys had a meeting and they will block some ports and make some instances available via VPN.
  • December 17, 2020 - I reported another issue because they published/deployed another subdomain sandbox1.philsys.gov.ph.
  • December 17, 2020 - I confirmed that all instances are no longer accessible.

Recommendations to PhilSys

  • Staging, Testing, or Sandbox environment, it should be accessible internally. They may use VPN as well to access it remotely.
  • If the the instance is not for public usage, keep it private. Kibana is not for public usage so they should keep it private.
  • Implement a Web App Firewall to prevent the disclosure of Original IP address. If the original IP is exposed, malicious actors can use it to gather more information about the system.
  • Disable the registration page of some instances. I noticed that some applications' registration form are accessible and you can actually register for an account. (For example, PhilSys' NextCloud application)
  • Filter the currently open ports. There are some instances with many open ports that is accessible publicly. It would be nice if they filter it or close it if they are not using it.