JVN#28845872
Android App "MyPallete" vulnerable to improper server certificate verification
Overview
Android App "MyPallete" is vulnerable to improper server certificate verification.
Products Affected
- Android App "MyPallete"
- Android applications based on "MyPallete"
Description
Android App "MyPallete" developed by NTT Data Corporation is used by several financial institutions as Android applications for their customers.
"MyPallete" is vulnerable to improper server certificate verification (CWE-295) and to improper host-matching validation (CWE-297).
Impact
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
Solution
Update the Application
Apply the latest update according to the information provided by the developer and/or respective financial institutions.
Vendor Status
| Vendor | Link |
| NTT Data Corporation | Official Announcement from NTT Data Corporation |
| The Ashikaga Bank, Ltd. | Official Announcement from The Ashikaga Bank, Ltd. |
| The Senshu Ikeda Bank, Ltd. | Official Announcement from The Senshu Ikeda Bank, Ltd. |
| Shikoku Bank, Ltd. | Official Announcement from Shikoku Bank, Ltd. |
| The Tohoku Bank, Ltd. | Official Announcement from The Tohoku Bank, Ltd. |
| THE NAGANO BANK, LTD | Official Announcement from THE NAGANOBANK, LTD |
| The 77 bank, Ltd. | Official Announcement from The 77 bank, Ltd. |
| The Hokkaido Bank,Ltd. | Official Announcement from The Hokkaido Bank,Ltd. |
| THE HOKURIKU BANK, LTD. | Official Announcement from THE HOKURIKU BANK, LTD. |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Comment
This analysis assumes a man-in-the-middle attack being conducted by an attacker that places a malicious wireless LAN access point.
Credit
Dai Nakamura of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2020-5523 |
| JVN iPedia |
JVNDB-2020-000007 |