Intel Crosswalk Project Man-In-The-Middle

2016.07.30
Credit: Anon
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2016-5672
CWE: CWE-310


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

[Original at: https://wwws.nightwatchcybersecurity.com/2016/07/29/advisory-intel-crosswalk-ssl-prompt-issue/] Summary The Intel Crosswalk Project library for cross-platform mobile development did not properly handle SSL errors. This behaviour could subject applications developed using this library to SSL MITM attacks. Vulnerability Details The Crosswalk Project, created by Intels Open Source Technology Center, allows mobile developers to use HTML, CSS and Javascript to develop and deploy mobile apps across multiple platforms from the same codebase. The library packages the HTML assets provided by the developer and runs them inside a WebView on the device. The library also bridges some of the common APIs and services from the Javascript code in the WebView to the underlying platform. The project supports deployment to iOS, Windows Phone and Android. It is implemented in multiple apps, some of which can be found here. For the Android implementation of CrossWalk when an invalid or self-signed SSL certificate is used during communication with the server, the underlying library displays a prompt to the user asking them to grant permission or deny permission to this certificate. If the user allows the certificate, that choice is remembered going forward and from that point in, all subsequent requests with invalid SSL certificates are accepted by the application, and are not rechecked. This applies even to connections over different WiFi hotspots and different certificates. This may allow a network-level attacker to mount MITM attack using invalid SSL certificate and capture sensitive data. Example of error dialog The fix changes the behaviour to generate a programmatic error message not visible to the user about an invalid SSL certificate. This issue has been fixed in the following versions of Crosswalk and all users of the library are encouraged to upgrade: - 19.49.514.5 (stable) - 20.50.533.11 (beta) - 21.51.546.0 (beta) - 22.51.549.0 (canary) This issue was originally discovered while testing a third-party Android app using this library. References CERT/CC vulnerability note: https://www.kb.cert.org/vuls/id/217871 Crosswalk security advisory: https://lists.crosswalk-project.org/pipermail/crosswalk-help/2016-July/002167.html CVE - CVE-2016-5672: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5672 Intel blog post: https://blogs.intel.com/evangelists/2016/07/28/crosswalk-security-vulnerability/ Credits Thank you to CERT/CC for coordination on this issue, and to the Intel Open Source Technology Center for the fix. Timeline 2016-05-25: Reported issue to the Intel PSIRT, got an automated reply 2016-05-30: Reached out to CERT/CC for help reaching Intel 2016-06-01: Request from CERT/CC for more details, provided details via secure form 2016-06-15: Response from CERT/CC that Intel is planning a fix within 45 days 2016-06-23: Direct contact from Intel 2016-07-01: Asking CERT/CC to reserve a CVE, CERT/CC assigns a CVE 2016-07-22: Intel fix is finished and ready for testing 2016-07-25: We confirm the fix and coordinate disclosure dates 2016-07-29: Coordinated public disclosure

References:

https://wwws.nightwatchcybersecurity.com/2016/07/29/advisory-intel-crosswalk-ssl-prompt-issue/
https://www.kb.cert.org/vuls/id/217871


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top