Information disclosure in SOS iOS Client - CVE-2017-9663
Published: January 10, 2018
Vulnerability identifier: #VU9920
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-9663
CWE-ID: CWE-312
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: General Motors
Affected software:
SOS iOS Client
SOS iOS Client
Detailed vulnerability description
The vulnerability allows a remote attacker to obtain potentially sensitive on the target system.
The weakness exists due to cleartext storage of sensitive information. A remote attacker can access an encryption key that is stored in cleartext in memory.
The weakness exists due to cleartext storage of sensitive information. A remote attacker can access an encryption key that is stored in cleartext in memory.
How to mitigate CVE-2017-9663
GM recommends the following mitigations:
- Users should not root or jailbreak their phones to prevent the preconditions for attacker access to mobile phone memory, including the ability to read JSON web token encryption keys.
- GM HTTP Public Key Pinning rollout is complete to mitigate Man-In-The-Middle attacks for SOS iOS Client Version 7.1. The rollout includes back office and iOS client changes (now version 7.2). For North America iOS OnStar clients, HTTP Public KeyPinning deployment (back office and mobile app) is scheduled for December 2017.
- Debugging code was removed from SOS Identity Management servers to prevent attacker access to user accounts.