DIVD-2025-00001 - Multiple vulnerabilities in Sicomm BASEC Service
| Our reference | DIVD-2025-00001 |
| Case lead | Frank Breedijk |
| Researcher(s) |
|
| CVE(s) |
|
| Products |
|
| Versions |
|
| Recommendation | If you are a user of this service please ask Sicomm to fix these vulnerabilities |
| Patch status | Unpatched |
| Status | Open |
| Last modified | 14 Mar 2025 16:00 CET |
Summary
Late 2021, during an investigation into hacked sites used in a spam network, DIVD researcher Jesse Meijer stumbles upon, unrelated, source code of Sicomm BASEC, and decides to report this source code being publicly available to Sicomm, to which he never gets a reply. Based on the source code he becomes suspicious that Sicomm BASEC contains vulnerabilities and manages to confirm his suspicions in both the source code and the actual online service.
On 12 Feb 2022 he informs Sicomm support of the vulnerabilities, followed up by an email to an executive on 1 Oct 2022, but never hears back. On 1 Jan 2025 he hands over the case to DIVD CSIRT who validates his findings and tries to contact Sicomm too. An email to support on 14 Jan 2025, LinkedIn messages to several executives on 15 Jan 2025, another email to support on 22 Jan and a voice mail message to support on 26 Feb 2025 all go unanswered.
As per our CNA policy we now consider Sicomm informed and have published this case file online. We have also sent Sicomm a full report of our findings. We have sent a copy of the report to CISA, because Sicomm claims BASEC is primarily used by US entities and we have seen evidence of this.
What you can do
Sicomm BASEC is offered as a service, so the only party capable of fixing these issues is Sicomm.
If you are currently a Sicomm BASEC customer or user:
- Reach out to Sicomm to address these issues and ask them to get in contact with
csirt (at) divd (dot) nl - Consider the information in and processes run via BASEC as compromised
What we are doing
For now all we can do is publish this case file. If we do not hear back from Sicomm within the next 30 days we will do a limited disclosure of our findings and publish the CVEs.
Timeline
| Date | Description |
|---|---|
| 01 Dec 2021 | Source code discovered online |
| 14 Dec 2021 | First notification about public source code |
| 16 Dec 2021 | Second notification about public source code |
|
14 Dec 2021 ? |
Time to acknowledge public source code |
| 12 Feb 2022 | First notification about vulnerabilities |
| 01 Oct 2022 | Second notification about vulnerabilities |
| 01 Jan 2025 | Case handed over to DIVD CSIRT |
| 14 Jan 2025 | 3rd notification about vulnerabilities |
| 15 Jan 2025 | 4th notification about vulnerabilities. (To board members via LinkedIn) |
| 16 Jan 2025 | DIVD asks CISA for assistance |
| 22 Jan 2025 | 5th notification about vulnerabilities. |
| 26 Feb 2025 | 6th notification about vulnerabilities. (Via voicemail of support) |
| 14 Mar 2025 | 7th notification about vulnerabilities. Full report sent to Sicomm and CISA |
|
12 Feb 2022 ? |
Time to acknowledge receipt of vulnerabilities |
|
14 Mar 2025 ? |
Time to patch |
| 14 Mar 2025 | Publication of casefile |