Main Vulnerability Database Vulnerabilities #VU24687

#VU24687 Improper Certificate Validation in Hokuriku Bank, Ltd. products - CVE-2020-5523

Published: January 28, 2020

Vulnerability identifier: #VU24687

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-5523

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
MyPallete
Ashigin app
Ikeda Senshu Bank Banking App
Shikoku Bank App
Tougin app
Nagagin app
77 Bank Application
Dogin app
Hokuriku Bank Portal App

Software vendor:
NTT DATA Corporation
The Ashikaga Bank, Ltd.
The Senshu Ikeda Bank, Ltd.
The Shikoku Bank, Ltd.
The Tohoku Bank, Ltd.
THE NAGANO BANK, LTD.
The 77 bank, Ltd.
The Hokkaido Bank,Ltd.
Hokuriku Bank, Ltd.

Description

The vulnerability allows a remote attacker to perform a man-in-the-middle attack.

The vulnerability exists due to the Android App "MyPallete" and some of the Android banking applications based on "MyPallete" fail to verify SSL server certificates and also do not properly validate certificates with host-mismatch. A remote attacker can supply a specially crafted SSL certificate, perform a man-in-the-middle attack and eavesdrop on an encrypted communication.

Remediation

Install updates from vendor's website released on January 28, 2020.

#VU24687 Improper Certificate Validation in Hokuriku Bank, Ltd. products - CVE-2020-5523

Description

Remediation

External links

Please verify you're human