Sign-up

ID

VAR-201409-0273


CVE

CVE-2014-6701


TITLE

Vendormate Mobile for Android SSL Information Disclosure Vulnerability

Trust: 0.8

sources: IVD: 49c93878-1eb8-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-06497

DESCRIPTION

The Vendormate Mobile (aka com.vendormate.mobile) application 3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. AppsGeyser Online Android A tool for creating applications. On the developer site, 2014 Year 12 Moon 22 As of the day 130 Over 10,000 Android Application AppsGeyser It is stated that it was created by. AppsGeyser Created with Android The application includes HTTPS In communication SSL Contains code to disable server certificate validation.AppsGeyser If you use an application created in Android A third party on the same network as the device may view or alter the communication content of the product. plural Android The app includes SSL A vulnerability exists that does not properly validate certificates. CERT/CC Then CERT Tapioca Was used to investigate this vulnerability. For details of the survey method, CERT/CC blog Please confirm. In addition, regarding this vulnerability, CERT Oracle Secure Coding Standard for Java of DRD19-J. Properly verify server certificate on SSL/TLS See also CERT Tapioca https://www.cert.org/vulnerability-analysis/tools/cert-tapioca.cfm CERT/CC blog https://www.cert.org/blogs/certcc/post.cfm?EntryID=204 DRD19-J. Properly verify server certificate on SSL/TLS https://www.securecoding.cert.org/confluence/x/CQAJCMan-in-the-middle attacks, although the impact depends on the behavior of the app (man-in-the-middle attack) By HTTPS Network traffic that should be protected by may be viewed or tampered with. As a result, authentication information may be obtained or arbitrary code may be executed. Vendormate Mobile for Android SSL is an Android platform based application. Vendormate Mobile for Android SSL has a security vulnerability. An attacker could use this vulnerability to perform a man-in-the-middle attack and impersonate a trusted server

Trust: 6.03

sources: NVD: CVE-2014-6701 // CERT/CC: VU#1680209 // CERT/CC: VU#582497 // JVNDB: JVNDB-2014-007349 // JVNDB: JVNDB-2014-006397 // JVNDB: JVNDB-2014-004043 // CNVD: CNVD-2014-06497 // CNNVD: CNNVD-201412-505 // BID: 71760 // IVD: 49c93878-1eb8-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 49c93878-1eb8-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-06497

AFFECTED PRODUCTS

vendor:vendormatemodel:mobilescope:eqversion:3.0

Trust: 2.4

vendor:appsgeysermodel: - scope: - version: -

Trust: 0.8

vendor:besttoolbarsmodel:appsgeyserscope:eqversion:created with android application

Trust: 0.8

vendor:multiple vendorsmodel: - scope: - version: -

Trust: 0.8

vendor:vendormatemodel:mobile for androidscope:eqversion:3.0

Trust: 0.6

vendor:appsgeysermodel:appsgeyserscope:eqversion:0

Trust: 0.3

vendor:vendormate mobilemodel: - scope:eqversion:3.0

Trust: 0.2

sources: IVD: 49c93878-1eb8-11e6-abef-000c29c66e3d // CERT/CC: VU#1680209 // CNVD: CNVD-2014-06497 // BID: 71760 // JVNDB: JVNDB-2014-007349 // JVNDB: JVNDB-2014-006397 // JVNDB: JVNDB-2014-004043 // CNNVD: CNNVD-201409-902 // NVD: CVE-2014-6701

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-6701
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-6701
value: MEDIUM

Trust: 0.8

IPA: JVNDB-2014-004043
value: HIGH

Trust: 0.8

CNVD: CNVD-2014-06497
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201409-902
value: MEDIUM

Trust: 0.6

IVD: 49c93878-1eb8-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2014-6701
severity: MEDIUM
baseScore: 5.4
vectorString: AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

IPA: JVNDB-2014-004043
severity: HIGH
baseScore: 8.3
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2014-06497
severity: MEDIUM
baseScore: 5.4
vectorString: AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 49c93878-1eb8-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 5.4
vectorString: AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: 49c93878-1eb8-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-06497 // JVNDB: JVNDB-2014-006397 // JVNDB: JVNDB-2014-004043 // CNNVD: CNNVD-201409-902 // NVD: CVE-2014-6701

PROBLEMTYPE DATA

problemtype:CWE-310

Trust: 1.8

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2014-007349 // JVNDB: JVNDB-2014-006397 // NVD: CVE-2014-6701

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201412-505

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201412-505

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-007349

PATCH
title:Security with HTTPS and SSLurl:http://developer.android.com/training/articles/security-ssl.html
Trust: 0.8
title:AppsGeyserurl:http://www.appsgeyser.com/
Trust: 0.8
title:com.vendormate.mobileurl:https://play.google.com/store/apps/details?id=com.vendormate.mobile
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-007349 // 
            
            
            
            JVNDB: JVNDB-2014-006397

EXTERNAL IDS
db:CERT/CCid:VU#582497
Trust: 4.3
db:NVDid:CVE-2014-6701
Trust: 3.2
db:CERT/CCid:VU#1680209
Trust: 1.9
db:JVNid:JVNVU90369988
Trust: 1.6
db:CERT/CCid:VU#234369
Trust: 1.6
db:BIDid:71760
Trust: 0.9
db:CNVDid:CNVD-2014-06497
Trust: 0.8
db:CNNVDid:CNNVD-201409-902
Trust: 0.8
db:JVNid:JVNVU95399358
Trust: 0.8
db:JVNDBid:JVNDB-2014-007349
Trust: 0.8
db:JVNDBid:JVNDB-2014-006397
Trust: 0.8
db:JVNDBid:JVNDB-2014-004043
Trust: 0.8
db:OSVDBid:112223
Trust: 0.6
db:CNNVDid:CNNVD-201412-505
Trust: 0.6
db:IVDid:49C93878-1EB8-11E6-ABEF-000C29C66E3D
Trust: 0.2
sources:
            
            
            IVD: 49c93878-1eb8-11e6-abef-000c29c66e3d // 
            
            
            
            CERT/CC: VU#1680209 // 
            
            
            
            CERT/CC: VU#582497 // 
            
            
            
            CNVD: CNVD-2014-06497 // 
            
            
            
            BID: 71760 // 
            
            
            
            JVNDB: JVNDB-2014-007349 // 
            
            
            
            JVNDB: JVNDB-2014-006397 // 
            
            
            
            JVNDB: JVNDB-2014-004043 // 
            
            
            
            CNNVD: CNNVD-201412-505 // 
            
            
            
            CNNVD: CNNVD-201409-902 // 
            
            
            
            NVD: CVE-2014-6701

REFERENCES
url:https://docs.google.com/spreadsheets/d/1t5gxwjw82syunalvjb2w0zi3folrikfgpc7amjrf0r4/edit?usp=sharing
Trust: 4.0
url:http://www.kb.cert.org/vuls/id/582497
Trust: 3.5
url:http://www.fireeye.com/blog/technical/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html
Trust: 1.6
url:http://developer.android.com/training/articles/security-ssl.html
Trust: 1.6
url:http://www.ftc.gov/news-events/press-releases/2014/03/fandango-credit-karma-settle-ftc-charges-they-deceived-consumers
Trust: 1.6
url:http://android-ssl.org/
Trust: 1.6
url:http://android-ssl.org/files/p49.pdf
Trust: 1.6
url:http://android-ssl.org/files/p50-fahl.pdf
Trust: 1.6
url:http://cwe.mitre.org/data/definitions/295.html
Trust: 1.6
url:http://cwe.mitre.org/data/definitions/296.html
Trust: 1.6
url:http://jvn.jp/vu/jvnvu90369988/index.html
Trust: 1.6
url:http://www.kb.cert.org/vuls/id/234369
Trust: 1.6
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-6701
Trust: 1.4
url:http://www.kb.cert.org/vuls/id/1680209
Trust: 1.1
url:http://www.appsgeyser.com/
Trust: 0.8
url:http://jvn.jp/vu/jvnvu95399358/index.html
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-6701
Trust: 0.8
url:https://www.securecoding.cert.org/confluence/pages/viewpage.action;jsessionid=38139e999b01085a7ae8552ac02eac05?pageid=134807561
Trust: 0.8
url:https://www.cert.org/vulnerability-analysis/tools/cert-tapioca.cfm
Trust: 0.8
url:https://www.cert.org/blogs/certcc/post.cfm?entryid=204
Trust: 0.8
url:http://www.ipa.go.jp/about/press/20140919_1.html
Trust: 0.8
url:http://osvdb.com/show/osvdb/112223
Trust: 0.6
url:http://www.securityfocus.com/bid/71760
Trust: 0.6
url:http://www.appsgeyser.com
Trust: 0.3
sources:
            
            
            CERT/CC: VU#1680209 // 
            
            
            
            CERT/CC: VU#582497 // 
            
            
            
            CNVD: CNVD-2014-06497 // 
            
            
            
            BID: 71760 // 
            
            
            
            JVNDB: JVNDB-2014-007349 // 
            
            
            
            JVNDB: JVNDB-2014-006397 // 
            
            
            
            JVNDB: JVNDB-2014-004043 // 
            
            
            
            CNNVD: CNNVD-201412-505 // 
            
            
            
            CNNVD: CNNVD-201409-902 // 
            
            
            
            NVD: CVE-2014-6701

CREDITS
Will Dormann of the CERT/CC
Trust: 0.9
sources:
            
            
            BID: 71760 // 
            
            
            
            CNNVD: CNNVD-201412-505

SOURCES
db:IVDid:49c93878-1eb8-11e6-abef-000c29c66e3d
db:CERT/CCid:VU#1680209
db:CERT/CCid:VU#582497
db:CNVDid:CNVD-2014-06497
db:BIDid:71760
db:JVNDBid:JVNDB-2014-007349
db:JVNDBid:JVNDB-2014-006397
db:JVNDBid:JVNDB-2014-004043
db:CNNVDid:CNNVD-201412-505
db:CNNVDid:CNNVD-201409-902
db:NVDid:CVE-2014-6701

LAST UPDATE DATE
2025-04-13T19:47:50.811000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#1680209date:2015-01-07T00:00:00
db:CERT/CCid:VU#582497date:2016-11-08T00:00:00
db:CNVDid:CNVD-2014-06497date:2014-10-08T00:00:00
db:BIDid:71760date:2014-12-19T00:00:00
db:JVNDBid:JVNDB-2014-007349date:2014-12-24T00:00:00
db:JVNDBid:JVNDB-2014-006397date:2014-12-17T00:00:00
db:JVNDBid:JVNDB-2014-004043date:2014-09-19T00:00:00
db:CNNVDid:CNNVD-201412-505date:2014-12-25T00:00:00
db:CNNVDid:CNNVD-201409-902date:2014-09-24T00:00:00
db:NVDid:CVE-2014-6701date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:49c93878-1eb8-11e6-abef-000c29c66e3ddate:2014-10-08T00:00:00
db:CERT/CCid:VU#1680209date:2014-12-19T00:00:00
db:CERT/CCid:VU#582497date:2014-09-03T00:00:00
db:CNVDid:CNVD-2014-06497date:2014-09-25T00:00:00
db:BIDid:71760date:2014-12-19T00:00:00
db:JVNDBid:JVNDB-2014-007349date:2014-12-24T00:00:00
db:JVNDBid:JVNDB-2014-006397date:2014-12-17T00:00:00
db:JVNDBid:JVNDB-2014-004043date:2014-09-05T00:00:00
db:CNNVDid:CNNVD-201412-505date:2014-12-25T00:00:00
db:CNNVDid:CNNVD-201409-902date:2014-09-24T00:00:00
db:NVDid:CVE-2014-6701date:2014-09-24T01:55:13.470