#VU24687 Improper Certificate Validation in Hokuriku Bank, Ltd. Mobile applications


Published: 2020-01-28

Vulnerability identifier: #VU24687

Vulnerability risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5523

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
MyPallete
Mobile applications / Apps for mobile phones
Ashigin app
Mobile applications / Apps for mobile phones
Ikeda Senshu Bank Banking App
Mobile applications / Apps for mobile phones
Shikoku Bank App
Mobile applications / Apps for mobile phones
Tougin app
Mobile applications / Apps for mobile phones
Nagagin app
Mobile applications / Apps for mobile phones
77 Bank Application
Mobile applications / Apps for mobile phones
Dogin app
Mobile applications / Apps for mobile phones
Hokuriku Bank Portal App
Mobile applications / Apps for mobile phones

Vendor: NTT DATA Corporation
The Ashikaga Bank, Ltd.
The Senshu Ikeda Bank, Ltd.
The Shikoku Bank, Ltd.
The Tohoku Bank, Ltd.
THE NAGANO BANK, LTD.
The 77 bank, Ltd.
The Hokkaido Bank,Ltd.
Hokuriku Bank, Ltd.

Description

The vulnerability allows a remote attacker to perform a man-in-the-middle attack.

The vulnerability exists due to the Android App "MyPallete" and some of the Android banking applications based on "MyPallete" fail to verify SSL server certificates and also do not properly validate certificates with host-mismatch. A remote attacker can supply a specially crafted SSL certificate, perform a man-in-the-middle attack and eavesdrop on an encrypted communication.

Mitigation
Install updates from vendor's website released on January 28, 2020.

Vulnerable software versions

MyPallete: All versions

Ashigin app: 1.0.4

Ikeda Senshu Bank Banking App: 3.0.4

Shikoku Bank App: 2.0.1

Tougin app: 1.0.1

Nagagin app: 1.0.1

77 Bank Application: 2.0.1

Dogin app: 3.0.1

Hokuriku Bank Portal App: 2.0.1

External links
http://jvn.jp/en/jp/JVN28845872/index.html
http://www.dokodemobank.ne.jp/info_20200128_bankingapp.html
http://www.77bank.co.jp/pdf/oshirase/20012801_appvulnerability.pdf
http://www.ashikagabank.co.jp/appbanking/pdf/oshirase.pdf
http://www.hokkaidobank.co.jp/common/dat/2020/0120/15795047141946146699.pdf
http://www.hokugin.co.jp/info/archives/personal/2020/1913.html
http://www.naganobank.co.jp/soshiki/2/app-ssl.html
http://www.shikokubank.co.jp/info/apps20200128.html
http://www.sihd-bk.jp/common_v2/pdf/20200127.pdf
http://www.tohoku-bank.co.jp/news/topics/200128_applissl.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Improper Certificate Validation in MyPallete app for Android