Details of VAR-201409-0871

ID

VAR-201409-0871

CVE

CVE-2014-5618

TITLE

AppsGeyser generates Android applications that fail to properly validate SSL certificates

Trust: 0.8

sources: CERT/CC: VU#1680209

DESCRIPTION

The Cartoon Camera (aka com.fingersoft.cartooncamera) application 1.2.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. AppsGeyser Online Android A tool for creating applications. On the developer site, 2014 Year 12 Moon 22 As of the day 130 Over 10,000 Android Application AppsGeyser It is stated that it was created by. AppsGeyser Created with Android The application includes HTTPS In communication SSL Contains code to disable server certificate validation.AppsGeyser If you use an application created in Android A third party on the same network as the device may view or alter the communication content of the product. plural Android The app includes SSL A vulnerability exists that does not properly validate certificates. CERT/CC Then CERT Tapioca Was used to investigate this vulnerability. For details of the survey method, CERT/CC blog Please confirm. In addition, regarding this vulnerability, CERT Oracle Secure Coding Standard for Java of DRD19-J. Properly verify server certificate on SSL/TLS See also CERT Tapioca https://www.cert.org/vulnerability-analysis/tools/cert-tapioca.cfm CERT/CC blog https://www.cert.org/blogs/certcc/post.cfm?EntryID=204 DRD19-J. Properly verify server certificate on SSL/TLS https://www.securecoding.cert.org/confluence/x/CQAJCMan-in-the-middle attacks, although the impact depends on the behavior of the app (man-in-the-middle attack) By HTTPS Network traffic that should be protected by may be viewed or tampered with. As a result, authentication information may be obtained or arbitrary code may be executed. An attacker could use this vulnerability to perform a man-in-the-middle attack and impersonate a trusted server. There is a security vulnerability in the version 1.2.2 of the Android Cartoon Camera application

Trust: 5.4

sources: NVD: CVE-2014-5618 // CERT/CC: VU#1680209 // CERT/CC: VU#582497 // JVNDB: JVNDB-2014-007349 // JVNDB: JVNDB-2014-004043 // JVNDB: JVNDB-2014-004452 // CNNVD: CNNVD-201412-505 // BID: 71760 // VULHUB: VHN-73560

AFFECTED PRODUCTS

vendor:	fingersoft	model:	cartoon camera	scope:	eq	version:	1.2.2	Trust: 2.4
vendor:	appsgeyser	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	besttoolbars	model:	appsgeyser	scope:	eq	version:	created with android application	Trust: 0.8
vendor:	multiple vendors	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	appsgeyser	model:	appsgeyser	scope:	eq	version:	0	Trust: 0.3

sources: CERT/CC: VU#1680209 // BID: 71760 // JVNDB: JVNDB-2014-007349 // JVNDB: JVNDB-2014-004043 // JVNDB: JVNDB-2014-004452 // CNNVD: CNNVD-201409-151 // NVD: CVE-2014-5618

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-5618
value:	MEDIUM
Trust: 1.0
IPA:	JVNDB-2014-004043
value:	HIGH
Trust: 0.8
NVD:	CVE-2014-5618
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201409-151
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-73560
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-5618
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	5.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
IPA:	JVNDB-2014-004043
severity:	HIGH
baseScore:	8.3
vectorString:	AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector:	ADJACENT NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-73560
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	5.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-73560 // JVNDB: JVNDB-2014-004043 // JVNDB: JVNDB-2014-004452 // CNNVD: CNNVD-201409-151 // NVD: CVE-2014-5618

PROBLEMTYPE DATA

problemtype:	CWE-310	Trust: 1.9
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-73560 // JVNDB: JVNDB-2014-007349 // JVNDB: JVNDB-2014-004452 // NVD: CVE-2014-5618

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201412-505

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201412-505

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-007349

PATCH

title:	Security with HTTPS and SSL	url:	http://developer.android.com/training/articles/security-ssl.html	Trust: 0.8
title:	AppsGeyser	url:	http://www.appsgeyser.com/	Trust: 0.8
title:	Android apps that fail to validate SSL	url:	https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4/edit?usp=sharing	Trust: 0.8
title:	カートゥーンカメラ (Cartoon Camera)	url:	https://play.google.com/store/apps/details?id=com.fingersoft.cartooncamera	Trust: 0.8

sources: JVNDB: JVNDB-2014-007349 // JVNDB: JVNDB-2014-004452

EXTERNAL IDS

db:	CERT/CC	id:	VU#582497	Trust: 4.4
db:	NVD	id:	CVE-2014-5618	Trust: 2.5
db:	CERT/CC	id:	VU#1680209	Trust: 1.9
db:	CERT/CC	id:	VU#164409	Trust: 1.7
db:	JVN	id:	JVNVU90369988	Trust: 1.6
db:	BID	id:	71760	Trust: 0.9
db:	JVN	id:	JVNVU95399358	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-007349	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-004043	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-004452	Trust: 0.8
db:	CNNVD	id:	CNNVD-201412-505	Trust: 0.6
db:	CNNVD	id:	CNNVD-201409-151	Trust: 0.6
db:	VULHUB	id:	VHN-73560	Trust: 0.1

sources: CERT/CC: VU#1680209 // CERT/CC: VU#582497 // VULHUB: VHN-73560 // BID: 71760 // JVNDB: JVNDB-2014-007349 // JVNDB: JVNDB-2014-004043 // JVNDB: JVNDB-2014-004452 // CNNVD: CNNVD-201412-505 // CNNVD: CNNVD-201409-151 // NVD: CVE-2014-5618

REFERENCES

url:	https://docs.google.com/spreadsheets/d/1t5gxwjw82syunalvjb2w0zi3folrikfgpc7amjrf0r4/edit?usp=sharing	Trust: 4.1
url:	http://www.kb.cert.org/vuls/id/582497	Trust: 3.6
url:	http://www.kb.cert.org/vuls/id/164409	Trust: 1.7
url:	http://www.fireeye.com/blog/technical/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html	Trust: 1.6
url:	http://developer.android.com/training/articles/security-ssl.html	Trust: 1.6
url:	http://www.ftc.gov/news-events/press-releases/2014/03/fandango-credit-karma-settle-ftc-charges-they-deceived-consumers	Trust: 1.6
url:	http://android-ssl.org/	Trust: 1.6
url:	http://android-ssl.org/files/p49.pdf	Trust: 1.6
url:	http://android-ssl.org/files/p50-fahl.pdf	Trust: 1.6
url:	http://cwe.mitre.org/data/definitions/295.html	Trust: 1.6
url:	http://cwe.mitre.org/data/definitions/296.html	Trust: 1.6
url:	http://jvn.jp/vu/jvnvu90369988/index.html	Trust: 1.6
url:	http://www.kb.cert.org/vuls/id/1680209	Trust: 1.1
url:	http://www.appsgeyser.com/	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu95399358/index.html	Trust: 0.8
url:	https://www.securecoding.cert.org/confluence/pages/viewpage.action;jsessionid=38139e999b01085a7ae8552ac02eac05?pageid=134807561	Trust: 0.8
url:	https://www.cert.org/vulnerability-analysis/tools/cert-tapioca.cfm	Trust: 0.8
url:	https://www.cert.org/blogs/certcc/post.cfm?entryid=204	Trust: 0.8
url:	http://www.ipa.go.jp/about/press/20140919_1.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5618	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-5618	Trust: 0.8
url:	http://www.securityfocus.com/bid/71760	Trust: 0.6
url:	http://www.appsgeyser.com	Trust: 0.3

CREDITS

Will Dormann of the CERT/CC

Trust: 0.9

sources: BID: 71760 // CNNVD: CNNVD-201412-505

SOURCES

db:	CERT/CC	id:	VU#1680209
db:	CERT/CC	id:	VU#582497
db:	VULHUB	id:	VHN-73560
db:	BID	id:	71760
db:	JVNDB	id:	JVNDB-2014-007349
db:	JVNDB	id:	JVNDB-2014-004043
db:	JVNDB	id:	JVNDB-2014-004452
db:	CNNVD	id:	CNNVD-201412-505
db:	CNNVD	id:	CNNVD-201409-151
db:	NVD	id:	CVE-2014-5618

LAST UPDATE DATE

2025-04-13T20:21:03.986000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#1680209	date:	2015-01-07T00:00:00
db:	CERT/CC	id:	VU#582497	date:	2016-11-08T00:00:00
db:	VULHUB	id:	VHN-73560	date:	2014-09-11T00:00:00
db:	BID	id:	71760	date:	2014-12-19T00:00:00
db:	JVNDB	id:	JVNDB-2014-007349	date:	2014-12-24T00:00:00
db:	JVNDB	id:	JVNDB-2014-004043	date:	2014-09-19T00:00:00
db:	JVNDB	id:	JVNDB-2014-004452	date:	2014-09-30T00:00:00
db:	CNNVD	id:	CNNVD-201412-505	date:	2014-12-25T00:00:00
db:	CNNVD	id:	CNNVD-201409-151	date:	2014-09-17T00:00:00
db:	NVD	id:	CVE-2014-5618	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#1680209	date:	2014-12-19T00:00:00
db:	CERT/CC	id:	VU#582497	date:	2014-09-03T00:00:00
db:	VULHUB	id:	VHN-73560	date:	2014-09-09T00:00:00
db:	BID	id:	71760	date:	2014-12-19T00:00:00
db:	JVNDB	id:	JVNDB-2014-007349	date:	2014-12-24T00:00:00
db:	JVNDB	id:	JVNDB-2014-004043	date:	2014-09-05T00:00:00
db:	JVNDB	id:	JVNDB-2014-004452	date:	2014-09-30T00:00:00
db:	CNNVD	id:	CNNVD-201412-505	date:	2014-12-25T00:00:00
db:	CNNVD	id:	CNNVD-201409-151	date:	2014-09-17T00:00:00
db:	NVD	id:	CVE-2014-5618	date:	2014-09-09T01:55:31.150