SB2018011007 - Multiple vulnerabilities in General Motors SOS iOS Client
Published: January 10, 2018
Security Bulletin ID
SB2018011007
Severity
Low
Patch available
NO
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2017-9663)
The vulnerability allows a remote attacker to obtain potentially sensitive on the target system.The weakness exists due to cleartext storage of sensitive information. A remote attacker can access an encryption key that is stored in cleartext in memory.
2) Man-in-the-middle attack (CVE-ID: CVE-2017-12697)
The vulnerability allows a remote attacker to conduct man-in-the-middle attack.The weakness exists due to improper access control. A remote attacker can perform MitM attacks to intercept sensitive information when the client connects to the server.
3) Improper authentication (CVE-ID: CVE-2017-12695)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to improper authentication. A remote attacker can subvert security mechanisms and reset a user account password.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.