Published:2018/05/11  Last Updated:2018/05/11

JVN#27137002
IIJ SmartKey App for Android vulnerable to authentication bypass

Overview

IIJ SmartKey App for Android contains an authentication bypass vulnerability.

Products Affected

  • IIJ SmartKey App for Android version 2.1.0 and earlier

Description

IIJ SmartKey App for Android provided by Internet Initiative Japan Inc. is an application that enables two-step authentication (two-factor authentication) for a website from an Android device. IIJ SmartKey App for Android contains an authentication bypass vulnerability (CWE-287).

Impact

An attacker may be able to obtain one-time password.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.
The developer recommends that users should update the application to 2.1.1 or later version immediately.

Apply a Workaround
The following workaround may mitigate the impact of this vulnerability.

  • Use the screen lock of Android OS standard function

Vendor Status

Vendor Status Last Update Vendor Notes
Internet Initiative Japan Inc. Vulnerable 2018/05/11

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Base Score: 3.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:P/I:N/A:N
Base Score: 2.6
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Ryo Tateguchi of AndroPlus reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2018-0584
JVN iPedia JVNDB-2018-000047