U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Mobile

Millions Android Cyanogenmod users exposed to MitM attacks due to Code re-use

Researcher explains that vulnerable code re-use of zero-day in Android’s CyanogenMod exposes million users to Man-In-The-Middle attacks. Security experts always discourage jailbreaking and rooting of mobile devices due to the risk related to the installation of not authorized applications that could hide malware and serious bugs. At the Ruxcon Security Conference in Australia, an unnamed security […]

Millions Android Cyanogenmod users exposed to MitM attacks due to Code re-use

Researcher explains that vulnerable code re-use of zero-day in Android’s CyanogenMod exposes million users to Man-In-The-Middle attacks.

Security experts always discourage jailbreaking and rooting of mobile devices due to the risk related to the installation of not authorized applications that could hide malware and serious bugs.

At the Ruxcon Security Conference in Australia, an unnamed security researcher revealed that CyanogenMod developers “copy-pasted” Oracle’s “sample code for Java 1.5” could exposed Android devices with CyanogenMod at risk of man-in-the-middle attacks. The researcher decided to disclose the zero-day in CyanogenMod after he tried ethically to info CyanogenMod that did not respond. The expert described the fix as “fairly simple,” adding that “the exposure served as an academic exercise in the perils of code reuse.”

As warned by the expert, installing CyanogenMod on Android device, then the user’s device is vulnerable to a zero-day blamed on code re-use.

“If you go and create a SSL certificate for a domain you own, say evil.com and in an element of the certificate signing request such as the ‘organization name’ field you put the ‘value,cn=*domain name*, it will be accepted as the valid domain name for the certificate.” explained the researcher. “Cyanogenmod uses this implementation for its browsers so you can go now and MitM someone’s phone.”

The researcher highlights the improper validation of  SSL certificates made by the mobile devices which fail to perform the certificate pinning procedure when establishing a trusted connection to the service provider. The failure of the certificate pinning procedure exposes users to the risk of MitM attacks and consequent theft of sensitive information.

The expert warned that CyanogenMod and a “ton of others” OS installations reused flawed code that was reported to have SSL vulnerabilities back in 2012. Unfortunately, also the last version CM 11.0 M11 that was released October 8th hasn’t fixed the flaw and CyanogenMod hasn’t provided a reply on the  yet to respond to the zero-day allegation.

The experts consider this vulnerability critical due to the large number of CyanogenMod installations worldwide, which according the official statistics are more than 10 million as of December 2013.

CyanogenMod Statistics dec 2013

Code re-use is a very common practice within development community, but in many cases it could act as vector for old vulnerability due to not accurate repackaging of source code.

“I was looking at HTTP component code and I was thinking I had seen this code before,” the researcher said. “They just copy-pasted the sample code and that’s what was vulnerable. “I checked on GitHub and found out a tonne of others were using it.”

Let’s wait for the reply of CyanogenMod.

Pierluigi Paganini

(Security Affairs –  CyanogenMod, Android)