Cwa-app-ios: [BSI][v1.7][20201118] Vulnerability to execute arbitrary SQL statements on the key package database

Rating: High

Description:
The version 1.7.0 of the iOS CWA app implements a feature to revoke key
packages that are already stored in the device's local database. This is
implemented via the app's configuration, which is fetched each time the
app is launched. This config file can contain a list of E-Tags. These
tags describe which key packages need to be removed. Two different SQL
queries are used to remove the revoked packages. Both of these queries
are assembled using string concatenation [1, 2].

In case [1], the injection occurs in the list variable that is
created
from the list of E-Tags out of the configuration file. In the second
case [2], the result of this first query is used, also by string
concatenation, to construct another query.

A malicious server or an attacker controlled server can use this
vulnerability to execute arbitrary SQL statements on the key package
database of iOS CWA apps. In addition to that, due to the usage of
sqlite, the attacker can potentially write (and potentially even read)
files in the app's sandboxed filesystem.

While an attacker controlled, or fake backend is unlikely, it would
certainly increase the attack surface an attacker had available if they
compromised the cwa-server (by potentially gaining control over the
connected iOS apps). Additionally, it could be interpreted as an
intentionally placed backdoor.

1:
https://github.com/corona-warn-app/cwa-app-ios/blob/94b28ccd8cff0ca2457e407ab5aebc0899f9d6cc/src/xcode/ENA/ENA/Source/Services/DownloadedPackagesStore/V2/DownloadedPackagesSQLLiteStoreV2.swift#L308

2:
https://github.com/corona-warn-app/cwa-app-ios/blob/94b28ccd8cff0ca2457e407ab5aebc0899f9d6cc/src/xcode/ENA/ENA/Source/Services/DownloadedPackagesStore/V2/DownloadedPackagesSQLLiteStoreV2.swift#L429

Internal Tracking ID: EXPOSUREAPP-3851