PT-2018-9516 · Subsonic · Dsub For Subsonic

Published

2018-09-06

Updated

2018-12-12

CVE-2018-1000664

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions DSub for Subsonic (Android client) version 5.4.1

Description The issue concerns improper certificate validation in the HTTPS client, allowing any non-CA signed server certificate, including self-signed and expired certificates, to be accepted by the client. This can be exploited when the victim connects to a server that is being MITM/Proxied by an attacker.

Recommendations For DSub for Subsonic (Android client) version 5.4.1, consider disabling the HTTPS client functionality until a patch is available that properly validates server certificates. Restrict connections to only trusted servers to minimize the risk of exploitation.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CVE-2018-1000664

Affected Products

Dsub For Subsonic

PT-2018-9516 · Subsonic · Dsub For Subsonic

CVE-2018-1000664

Weakness Enumeration

Related Identifiers

Affected Products

References · 3