Machine Spirits Logo
All Advisories

Oviva epa4all-client

IDP Discovery Document Signature Bypass

The client fetches the central IDP's OpenID discovery document as a signed JWT but parses the payload without verifying the signature. An attacker who can man-in-the-middle the TLS connection to the identity provider substitutes a forged document that redirects the uri_puk_idp_enc and uri_puk_idp_sig endpoints to attacker-controlled URLs, capturing the SMC-B-signed authentication material.

Authored byChiara Fliegner, Volker Schönefeld, Simon WeberDisclosed 2026-05-11Fully disclosed 2026-05-28
SeverityHighCVSS 7.4CVSS 3.1 VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NCWECWE-347 (Improper Verification of Cryptographic Signature)ProductOviva epa4all-clientAffected VersionsAll versions before 1.2.2Fixed In1.2.2 (incorporates pull request #36)CVECVE-2026-45575GHSAGHSA-gqx7-6552-67hf

Description

parseFromJwt() calls JWSObject.parse(jwt).getPayload(), which decodes the JWT structure but performs no signature check before the payload is consumed:

OidcClient.java:82-89

private OidcDiscoveryResponse parseFromJwt(String jwt) {
    try {
        var payload = JWSObject.parse(jwt).getPayload();
        return JsonCodec.readBytes(payload.toBytes(), OidcDiscoveryResponse.class);
    } catch (ParseException e) {
        throw new AuthorizationException("Failed to parse JWT", e);
    }
}

View source →

This compounds with a self-referential trust pattern in the challenge responder, where the challenge JWT's iss claim controls where the verification keys are fetched from. A comment in that code reads:

AuthnChallengeResponder.java:78

// Note: The challenge contains the URL to the keys, so is anyways
// in control of it. Not sure what validating the signature adds.

View source →

The forged document points uri_puk_idp_enc and uri_puk_idp_sig at attacker infrastructure. The client fetches the IDP signing key from the attacker's URL and validates the challenge against it (the circular trust), encrypts the SMC-B-signed response to the attacker's encryption key, and POSTs it to the attacker's auth endpoint. The outer HTTP client routes through the Konnektor proxy within the TI network, which provides transport-level protection and is what limits practical exploitability to an attacker already inside the TI.

Impact

  • An attacker positioned to MITM the TLS connection to the central IDP captures the SMC-B-signed authentication response and the key material exchanged during login. Holding that material, the attacker can authenticate to the ePA backend as the legitimate institution and read or modify the records of patients the institution's SMC-B card can act on.
  • During testing, a mock IDP served a discovery JWT signed with a key the client did not trust; the client completed the authorization flow against the attacker-controlled key URIs (observed as send_authcode_sc on the decrypted channel), confirming the forged document was accepted.

Mitigation

Update epa4all-client to 1.2.2 or later. No workaround is available for affected versions. The fix verifies the JWT signature in parseFromJwt() against a key that is pinned or fetched from a trusted source not derived from the JWT itself, validates the issuer against an allowlist of trusted TI IDP URIs, and pins the IDP discovery URL rather than deriving it from the challenge JWT's iss claim.

Defender's Checklist

  • Update epa4all-client to 1.2.2 or later.

    All versions before 1.2.2 are affected. The fix is pull request #36.

  • Confirm the discovery JWT signature is actually checked.

    After updating, verify that a discovery document signed with an untrusted key is rejected. The signing key must come from a pinned or trusted source, not from the JWT or challenge itself.

  • Pin the IDP discovery URL and allowlist the issuer.

    Do not derive the discovery URL or key URIs from the challenge JWT's iss claim. Pin the discovery endpoint and validate issuer against a known list of TI IDP URIs to break the self-referential trust.

  • Do not rely on the Konnektor proxy as the only barrier.

    Transport routing through the TI limits who can reach the IDP path, but it is not authentication of the discovery document. An attacker inside the TI, or one who reaches the proxy, still wins without the signature check.

Severity Reasoning

AV:NThe attack is against the network connection to the IDP. Scored network rather than adjacent because the IDP path is not confined to a local segment.AC:HThe attacker must MITM the TLS connection to the IDP from inside the Telematikinfrastruktur or compromise the Konnektor proxy that fronts it. That privileged network position is the condition outside the attacker's control.PR:NNo credentials required beyond the network position.UI:NThe client runs the OIDC discovery and authorization flow on its own; no user interaction.S:UImpact is bounded to the ePA authentication flow and the material exchanged in it.C:HThe captured SMC-B-signed authentication response and key material expose the authenticated ePA session.I:HHolding the SMC-B-signed material and the session lets the attacker act on the ePA authentication flow, not just observe it.A:NNo availability impact.

References

How We Can Help

Who We Are

The security researchers behind this advisory.

Dr. Simon Weber Profile

Dr. rer. nat. Simon Weber

Senior Pentester & MedSec Researcher

I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.

  • PhD on Hospital Cybersecurity
  • Critical vulnerabilities found in hospital systems
  • Alumni of THB MedSec Research Group
  • gematik Security Hero
Volker Schönefeld Profile

Dipl.-Inf. Volker Schönefeld

Senior Application Security Expert

As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.

  • 20+ years as CTO, 50M+ app downloads
  • Architected and secured large-scale IoT fleets
  • Certified Web Exploitation Specialist
  • gematik Security Hero
View Full Team Profiles

Looking for a Penetration Test?

Machine Spirits specializes in security assessments for medical devices and healthcare IT. From MDR penetration testing to C5 cloud compliance, we help MedTech companies meet regulatory requirements.

Get in TouchLearn More About Our Services