PT-2018-9017 · Softbank+2 · Softbank +Message App+2

Ma.La

·

Published

2018-11-15

·

Updated

2019-02-04

·

CVE-2018-0691

CVSS v3.1

5.9

Medium

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Softbank +Message App for Android versions prior to 10.1.7 Softbank +Message App for iOS versions prior to 1.1.23 NTT DOCOMO +Message App for Android versions prior to 42.40.2800 NTT DOCOMO +Message App for iOS versions prior to 1.1.23 KDDI +Message App for Android versions prior to 1.0.6 KDDI +Message App for iOS versions prior to 1.1.23
Description The issue allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate, as the apps do not verify X.509 certificates from SSL servers.
Recommendations For Softbank +Message App for Android versions prior to 10.1.7, update to version 10.1.7 or later. For Softbank +Message App for iOS versions prior to 1.1.23, update to version 1.1.23 or later. For NTT DOCOMO +Message App for Android versions prior to 42.40.2800, update to version 42.40.2800 or later. For NTT DOCOMO +Message App for iOS versions prior to 1.1.23, update to version 1.1.23 or later. For KDDI +Message App for Android versions prior to 1.0.6, update to version 1.0.6 or later. For KDDI +Message App for iOS versions prior to 1.1.23, update to version 1.1.23 or later.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CVE-2018-0691

Affected Products

Kddi +Message App
Ntt Docomo +Message App
Softbank +Message App