JVN#27137002
IIJ SmartKey App for Android vulnerable to authentication bypass
Overview
IIJ SmartKey App for Android contains an authentication bypass vulnerability.
Products Affected
- IIJ SmartKey App for Android version 2.1.0 and earlier
Description
IIJ SmartKey App for Android provided by Internet Initiative Japan Inc. is an application that enables two-step authentication (two-factor authentication) for a website from an Android device. IIJ SmartKey App for Android contains an authentication bypass vulnerability (CWE-287).
Impact
An attacker may be able to obtain one-time password.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
The developer recommends that users should update the application to 2.1.1 or later version immediately.
Apply a Workaround
The following workaround may mitigate the impact of this vulnerability.
- Use the screen lock of Android OS standard function
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Internet Initiative Japan Inc. | Vulnerable | 2018/05/11 |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Ryo Tateguchi of AndroPlus reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2018-0584 |
| JVN iPedia |
JVNDB-2018-000047 |