JVN#11994518
Cybozu KUNAI App fails to verify SSL server certificates
Overview
Cybozu KUNAI App fails to verify SSL server certificates.
Products Affected
- Cybozu KUNAI for iPhone 2.0.3 to 3.1.5
- Cybozu KUNAI for Android 2.1.2 to 3.0.4
Description
Cybozu KUNAI App provided by Cybozu, Inc. fails to verify SSL server certificates.
Impact
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Cybozu, Inc. | Vulnerable | 2016/05/16 | Cybozu, Inc. website |
References
JPCERT/CC Addendum
This JVN advisory was published at 14:00 on May 16, 2016, however developer provided URL included under "Vendor Status" is currently invalid. According to the developer, the URL will be valid at 18:00 on May 16, 2016.
[Added on May 16, 2016]
JPCERT/CC confirmed that the URL provided by the developer was valid since 18:30 on May 16, 2016.
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Comment
This analysis assumes a man-in-the-middle attack being conducted by an attacker that places a malicious wireless LAN access point.
Credit
Kusano Kazuhiko reported this vulnerability to the developer.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2016-1187 |
| JVN iPedia |
JVNDB-2016-000060 |
Update History
- 2016/05/16
- Information under the section "JPCERT/CC Addendum" was updated.
- 2016/05/16
- Cybozu, Inc. update status