Published:2020/01/28  Last Updated:2020/01/28

JVN#28845872
Android App "MyPallete" vulnerable to improper server certificate verification

Overview

Android App "MyPallete" is vulnerable to improper server certificate verification.

Products Affected

  • Android App "MyPallete"
  • Android applications based on "MyPallete"
As for the details of the affected Android applications using "MyPallete", refer to the information under the section [Vendor Status].

Description

Android App "MyPallete" developed by NTT Data Corporation is used by several financial institutions as Android applications for their customers.
"MyPallete" is vulnerable to improper server certificate verification (CWE-295) and to improper host-matching validation (CWE-297).

Impact

A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.

Solution

Update the Application
Apply the latest update according to the information provided by the developer and/or respective financial institutions.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score: 4.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:N
Base Score: 4.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Comment

This analysis assumes a man-in-the-middle attack being conducted by an attacker that places a malicious wireless LAN access point.

Credit

Dai Nakamura of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5523
JVN iPedia JVNDB-2020-000007