Lucene search

JpcertCVE-2018-0691

HistoryNov 15, 2018 - 3:29 p.m.

CVE-2018-0691

2018-11-1515:29:00

CWE-295

jpcert

web.nvd.nist.gov

cve-2018-0691

message apps

android

ios

ssl

x.509

certificate verification

man-in-the-middle

nvd

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

39.2%

JSON

Multiple +Message Apps (Softbank +Message App for Android prior to version 10.1.7, Softbank +Message App for iOS prior to version 1.1.23, NTT DOCOMO +Message App for Android prior to version 42.40.2800, NTT DOCOMO +Message App for iOS prior to version 1.1.23, KDDI +Message App for Android prior to version 1.0.6, and KDDI +Message App for iOS prior to version 1.1.23) do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Affected configurations

Nvd

Node

googleandroidMatch-

AND

kddi\+_messageRange<1.0.6

ntttocomo\+_messageRange<42.40.2800

softbank\+_messageRange<10.1.7

Node

appleiphone_os

AND

kddi\+_messageRange<1.1.23

ntt_tocomo\+_messageRange<1.1.23

softbank\+_messageRange<1.1.23

VendorProductVersionCPE
googleandroid-cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
kddi\+_message*cpe:2.3:a:kddi:\+_message:*:*:*:*:*:*:*:*
ntttocomo\+_message*cpe:2.3:a:ntttocomo:\+_message:*:*:*:*:*:*:*:*
softbank\+_message*cpe:2.3:a:softbank:\+_message:*:*:*:*:*:*:*:*
appleiphone_os*cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
ntt_tocomo\+_message*cpe:2.3:a:ntt_tocomo:\+_message:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
google	android	-	cpe:2.3:o:google:android:-:::::::*
kddi	\+_message	*	cpe:2.3:a:kddi:\+_message::::::::
ntttocomo	\+_message	*	cpe:2.3:a:ntttocomo:\+_message::::::::
softbank	\+_message	*	cpe:2.3:a:softbank:\+_message::::::::
apple	iphone_os	*	cpe:2.3:o:apple:iphone_os::::::::
ntt_tocomo	\+_message	*	cpe:2.3:a:ntt_tocomo:\+_message::::::::

CNA Affected

[
  {
    "product": "Multiple +Message Apps (Softbank +Message App for Android prior to version 10.1.7, Softbank +Message App for iOS prior to version 1.1.23, NTT DOCOMO +Message App for Android prior to version 42.40.2800, NTT DOCOMO +Message App for iOS prior to version 1.1.23, KDDI +Message App for Android prior to version 1.0.6, and KDDI +Message App for iOS prior to version 1.1.23)",
    "vendor": "Softbank, NTT docomo, KDDI",
    "versions": [
      {
        "status": "affected",
        "version": "Softbank +Message App for Android prior to version 10.1.7, Softbank +Message App for iOS prior to version 1.1.23, NTT DOCOMO +Message App for Android prior to version 42.40.2800, NTT DOCOMO +Message App for iOS prior to version 1.1.23, KDDI +Message App for Android prior to version 1.0.6, and KDDI +Message App for iOS prior to version 1.1.23"
      }
    ]
  }
]

References

jvn.jp/en/jp/JVN37288228/index.html

www.au.com/information/notice_mobile/service/2018-002/

www.nttdocomo.co.jp/info/notice/page/180927_00.html

www.softbank.jp/mobile/info/personal/news/service/20180927a/

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

39.2%

JSON

Related for CVE-2018-0691