Published:2018/06/15 Last Updated:2018/06/15
JVN#71535108
ANA App for iOS fails to verify SSL server certificates
Overview
ANA App for iOS fails to verify SSL server certificates.
Products Affected
- ANA App for iOS version 4.0.22 and earlier
Description
ANA App for iOS provided by ALL NIPPON AIRWAYS CO., LTD fails to verify SSL server certificates (CWE-295).
Impact
A man-in-the-middle attack may allow an attacker to obtain and/or alter on a content of communication.
Solution
Update the Application
Update to the latest version according to the information provided by the developer.
Vendor Status
Vendor | Status | Last Update | Vendor Notes |
---|---|---|---|
ALL NIPPON AIRWAYS CO., LTD | Vulnerable | 2018/06/15 | ALL NIPPON AIRWAYS CO., LTD website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score:
4.8
CVSS v2
AV:N/AC:H/Au:N/C:P/I:P/A:N
Base Score:
4.0
Comment
This analysis assumes a man-in-the-middle attack being conducted by an attacker that places a malicious wireless LAN access point.
Credit
Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2018-0611 |
JVN iPedia |
JVNDB-2018-000065 |