Vulnerability identifier: #VU24687
Vulnerability risk: Medium
CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-295
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
MyPallete
Mobile applications /
Apps for mobile phones
Ashigin app
Mobile applications /
Apps for mobile phones
Ikeda Senshu Bank Banking App
Mobile applications /
Apps for mobile phones
Shikoku Bank App
Mobile applications /
Apps for mobile phones
Tougin app
Mobile applications /
Apps for mobile phones
Nagagin app
Mobile applications /
Apps for mobile phones
77 Bank Application
Mobile applications /
Apps for mobile phones
Dogin app
Mobile applications /
Apps for mobile phones
Hokuriku Bank Portal App
Mobile applications /
Apps for mobile phones
Vendor:
NTT DATA Corporation
The Ashikaga Bank, Ltd.
The Senshu Ikeda Bank, Ltd.
The Shikoku Bank, Ltd.
The Tohoku Bank, Ltd.
THE NAGANO BANK, LTD.
The 77 bank, Ltd.
The Hokkaido Bank,Ltd.
Hokuriku Bank, Ltd.
Description
The vulnerability allows a remote attacker to perform a man-in-the-middle attack.
The vulnerability exists due to the Android App "MyPallete" and some of the Android banking applications based on "MyPallete" fail to verify SSL server certificates and also do not properly validate certificates with host-mismatch. A remote attacker can supply a specially crafted SSL certificate, perform a man-in-the-middle attack and eavesdrop on an encrypted communication.
Mitigation
Install updates from vendor's website released on January 28, 2020.
Vulnerable software versions
MyPallete: All versions
Ashigin app: 1.0.4
Ikeda Senshu Bank Banking App: 3.0.4
Shikoku Bank App: 2.0.1
Tougin app: 1.0.1
Nagagin app: 1.0.1
77 Bank Application: 2.0.1
Dogin app: 3.0.1
Hokuriku Bank Portal App: 2.0.1
External links
http://jvn.jp/en/jp/JVN28845872/index.html
http://www.dokodemobank.ne.jp/info_20200128_bankingapp.html
http://www.77bank.co.jp/pdf/oshirase/20012801_appvulnerability.pdf
http://www.ashikagabank.co.jp/appbanking/pdf/oshirase.pdf
http://www.hokkaidobank.co.jp/common/dat/2020/0120/15795047141946146699.pdf
http://www.hokugin.co.jp/info/archives/personal/2020/1913.html
http://www.naganobank.co.jp/soshiki/2/app-ssl.html
http://www.shikokubank.co.jp/info/apps20200128.html
http://www.sihd-bk.jp/common_v2/pdf/20200127.pdf
http://www.tohoku-bank.co.jp/news/topics/200128_applissl.html
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.