Improper authentication in SOS iOS Client - CVE-2017-12695
Published: January 10, 2018
Vulnerability identifier: #VU9922
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-12695
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: General Motors
Affected software:
SOS iOS Client
SOS iOS Client
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to improper authentication. A remote attacker can subvert security mechanisms and reset a user account password.
The weakness exists due to improper authentication. A remote attacker can subvert security mechanisms and reset a user account password.
How to mitigate CVE-2017-12695
GM recommends the following mitigations:
- Users should not root or jailbreak their phones to prevent the preconditions for attacker access to mobile phone memory, including the ability to read JSON web token encryption keys.
- GM HTTP Public Key Pinning rollout is complete to mitigate Man-In-The-Middle attacks for SOS iOS Client Version 7.1. The rollout includes back office and iOS client changes (now version 7.2). For North America iOS OnStar clients, HTTP Public KeyPinning deployment (back office and mobile app) is scheduled for December 2017.
- Debugging code was removed from SOS Identity Management servers to prevent attacker access to user accounts.