Man-in-the-middle attack in SOS iOS Client - CVE-2017-12697
Published: January 10, 2018
Vulnerability identifier: #VU9921
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-12697
CWE-ID: CWE-300
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: General Motors
Affected software:
SOS iOS Client
SOS iOS Client
Detailed vulnerability description
The vulnerability allows a remote attacker to conduct man-in-the-middle attack.
The weakness exists due to improper access control. A remote attacker can perform MitM attacks to intercept sensitive information when the client connects to the server.
The weakness exists due to improper access control. A remote attacker can perform MitM attacks to intercept sensitive information when the client connects to the server.
How to mitigate CVE-2017-12697
GM recommends the following mitigations:
- Users should not root or jailbreak their phones to prevent the preconditions for attacker access to mobile phone memory, including the ability to read JSON web token encryption keys.
- GM HTTP Public Key Pinning rollout is complete to mitigate Man-In-The-Middle attacks for SOS iOS Client Version 7.1. The rollout includes back office and iOS client changes (now version 7.2). For North America iOS OnStar clients, HTTP Public KeyPinning deployment (back office and mobile app) is scheduled for December 2017.
- Debugging code was removed from SOS Identity Management servers to prevent attacker access to user accounts.