SB2018011717 - Improper Certificate Validation in webdav neon
Published: January 17, 2018 Updated: August 8, 2020
Security Bulletin ID
SB2018011717
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper Certificate Validation (CVE-ID: CVE-2018-5258)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The Neon app 1.6.14 iOS does not verify X.509 certificates from SSL servers, which allows remote attackers to spoof servers and obtain sensitive information via a crafted certificate.
Remediation
Install update from vendor's website.
References
- https://gist.github.com/rlaneth/d2203c206d5d5acbdaf6069e78b1d07f
- https://radialle.com/cve-2018-5258-writeup-aplicativo-do-banco-neon-para-ios-n%C3%A3o-valida-certificados-ssl-84bed0b0cecb
- https://www.tecmundo.com.br/seguranca/126192-banco-neon-falha-permite-hacker-acesse-conta-roube-dados-clientes.htm