Main Vulnerability Database Vulnerabilities #VU24687

Improper Certificate Validation in Hokuriku Bank, Ltd. products - CVE-2020-5523

Published: January 28, 2020

Vulnerability identifier: #VU24687

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-5523

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: NTT DATA Corporation
The Ashikaga Bank, Ltd.
The Senshu Ikeda Bank, Ltd.
The Shikoku Bank, Ltd.
The Tohoku Bank, Ltd.
THE NAGANO BANK, LTD.
The 77 bank, Ltd.
The Hokkaido Bank,Ltd.
Hokuriku Bank, Ltd.

Affected software:
MyPallete
Ashigin app
Ikeda Senshu Bank Banking App
Shikoku Bank App
Tougin app
Nagagin app
77 Bank Application
Dogin app
Hokuriku Bank Portal App

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a man-in-the-middle attack.

The vulnerability exists due to the Android App "MyPallete" and some of the Android banking applications based on "MyPallete" fail to verify SSL server certificates and also do not properly validate certificates with host-mismatch. A remote attacker can supply a specially crafted SSL certificate, perform a man-in-the-middle attack and eavesdrop on an encrypted communication.

How to mitigate CVE-2020-5523

Install updates from vendor's website released on January 28, 2020.

Improper Certificate Validation in Hokuriku Bank, Ltd. products - CVE-2020-5523

Detailed vulnerability description

How to mitigate CVE-2020-5523

Sources

Please verify you're human