Published:2016/12/06  Last Updated:2016/12/09

JVNVU#92900492
三菱東京UFJ銀行 for Android vulnerable to SSL/TLS downgrade attack

Overview

三菱東京UFJ銀行 for Android may be exploited by SSL/TLS downgrade attack.

Products Affected

  • 三菱東京UFJ銀行 for Android ver5.3.1
  • 三菱東京UFJ銀行 for Android ver5.2.2 and earlier

Description

三菱東京UFJ銀行 for Android provided by The Bank of Tokyo-Mitsubishi UFJ, Ltd. tries to communicate with a server via TLS v1.2.  However, when a response from the server indicates SSL v3.0, communication is conducted via SSL v3.0 (CWE-757).  As a result, the application may be exploited by POODLE attack.

CVE-2016-7812 is assigned to this issue. The scope of this identifier is limited to 三菱東京UFJ銀行 for Android only.

Impact

A man-in-the-middle attack allows an attacker to eavesdrop on an encrypted communication.

Solution

Update the Software
Update to the latest version according to the information provided by The Bank of Tokyo-Mitsubishi UFJ, Ltd.

Vendor Status

Vendor Link
The Bank of Tokyo-Mitsubishi UFJ, Ltd. 三菱東京UFJ銀行 - Android Apps on Google Play

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score: 3.7
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:P/I:N/A:N
Base Score: 2.6
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Comment

This analysis assumes a man-in-the-middle attack being conducted by an attacker that places a malicious wireless LAN access point.

Credit

Reo Yoshida reported this vulnerability to JPCERT/CC, and JPCERT/CC coordinated with The Bank of Tokyo-Mitsubishi UFJ, Ltd.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2016-7812
JVN iPedia

Update History

2016/12/09
Explanation regarding CVE identifier was added to the section under [Description].