Sign-up

ID

VAR-201410-0592


CVE

CVE-2014-7486


TITLE

Mitsubishi Road Assist application for Android Information Disclosure Vulnerability

Trust: 0.8

sources: IVD: c19b48d0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-07783

DESCRIPTION

The Mitsubishi Road Assist (aka com.agero.mitsubishi) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. AppsGeyser Online Android A tool for creating applications. On the developer site, 2014 Year 12 Moon 22 As of the day 130 Over 10,000 Android Application AppsGeyser It is stated that it was created by. AppsGeyser Created with Android The application includes HTTPS In communication SSL Contains code to disable server certificate validation.AppsGeyser If you use an application created in Android A third party on the same network as the device may view or alter the communication content of the product. plural Android The app includes SSL A vulnerability exists that does not properly validate certificates. CERT/CC Then CERT Tapioca Was used to investigate this vulnerability. For details of the survey method, CERT/CC blog Please confirm. In addition, regarding this vulnerability, CERT Oracle Secure Coding Standard for Java of DRD19-J. Properly verify server certificate on SSL/TLS See also CERT Tapioca https://www.cert.org/vulnerability-analysis/tools/cert-tapioca.cfm CERT/CC blog https://www.cert.org/blogs/certcc/post.cfm?EntryID=204 DRD19-J. Properly verify server certificate on SSL/TLS https://www.securecoding.cert.org/confluence/x/CQAJCMan-in-the-middle attacks, although the impact depends on the behavior of the app (man-in-the-middle attack) By HTTPS Network traffic that should be protected by may be viewed or tampered with. As a result, authentication information may be obtained or arbitrary code may be executed. An attacker could use this vulnerability to perform a man-in-the-middle attack and impersonate a trusted server

Trust: 6.03

sources: NVD: CVE-2014-7486 // CERT/CC: VU#1680209 // CERT/CC: VU#582497 // JVNDB: JVNDB-2014-007349 // JVNDB: JVNDB-2014-006952 // JVNDB: JVNDB-2014-004043 // CNVD: CNVD-2014-07783 // CNNVD: CNNVD-201412-505 // BID: 71760 // IVD: c19b48d0-2351-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: c19b48d0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-07783

AFFECTED PRODUCTS

vendor:mitsubishicarsmodel:mitsubishi road assistscope:eqversion:1

Trust: 1.6

vendor:appsgeysermodel: - scope: - version: -

Trust: 0.8

vendor:besttoolbarsmodel:appsgeyserscope:eqversion:created with android application

Trust: 0.8

vendor:mitsubishicarsmodel:mitsubishi road assistscope:eqversion:1.0

Trust: 0.8

vendor:multiple vendorsmodel: - scope: - version: -

Trust: 0.8

vendor:mitsubishimodel:road assist mitsubishi road assist application for androidscope:eqversion:1.0

Trust: 0.6

vendor:appsgeysermodel:appsgeyserscope:eqversion:0

Trust: 0.3

vendor:mitsubishi road assistmodel: - scope:eqversion:1

Trust: 0.2

sources: IVD: c19b48d0-2351-11e6-abef-000c29c66e3d // CERT/CC: VU#1680209 // CNVD: CNVD-2014-07783 // BID: 71760 // JVNDB: JVNDB-2014-007349 // JVNDB: JVNDB-2014-006952 // JVNDB: JVNDB-2014-004043 // CNNVD: CNNVD-201410-871 // NVD: CVE-2014-7486

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-7486
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-7486
value: MEDIUM

Trust: 0.8

IPA: JVNDB-2014-004043
value: HIGH

Trust: 0.8

CNVD: CNVD-2014-07783
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201410-871
value: MEDIUM

Trust: 0.6

IVD: c19b48d0-2351-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2014-7486
severity: MEDIUM
baseScore: 5.4
vectorString: AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

IPA: JVNDB-2014-004043
severity: HIGH
baseScore: 8.3
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2014-07783
severity: MEDIUM
baseScore: 5.4
vectorString: AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: c19b48d0-2351-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 5.4
vectorString: AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: c19b48d0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-07783 // JVNDB: JVNDB-2014-006952 // JVNDB: JVNDB-2014-004043 // CNNVD: CNNVD-201410-871 // NVD: CVE-2014-7486

PROBLEMTYPE DATA

problemtype:CWE-310

Trust: 1.8

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2014-007349 // JVNDB: JVNDB-2014-006952 // NVD: CVE-2014-7486

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201412-505

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201412-505

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-007349

PATCH
title:Security with HTTPS and SSLurl:http://developer.android.com/training/articles/security-ssl.html
Trust: 0.8
title:AppsGeyserurl:http://www.appsgeyser.com/
Trust: 0.8
title:com.agero.mitsubishiurl:https://play.google.com/store/apps/details?id=com.agero.mitsubishi
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-007349 // 
            
            
            
            JVNDB: JVNDB-2014-006952

EXTERNAL IDS
db:CERT/CCid:VU#582497
Trust: 4.9
db:NVDid:CVE-2014-7486
Trust: 3.2
db:CERT/CCid:VU#1680209
Trust: 1.9
db:JVNid:JVNVU90369988
Trust: 1.6
db:CERT/CCid:VU#345425
Trust: 1.6
db:BIDid:71760
Trust: 0.9
db:CNVDid:CNVD-2014-07783
Trust: 0.8
db:CNNVDid:CNNVD-201410-871
Trust: 0.8
db:JVNid:JVNVU95399358
Trust: 0.8
db:JVNDBid:JVNDB-2014-007349
Trust: 0.8
db:JVNDBid:JVNDB-2014-006952
Trust: 0.8
db:JVNDBid:JVNDB-2014-004043
Trust: 0.8
db:CNNVDid:CNNVD-201412-505
Trust: 0.6
db:IVDid:C19B48D0-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
sources:
            
            
            IVD: c19b48d0-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CERT/CC: VU#1680209 // 
            
            
            
            CERT/CC: VU#582497 // 
            
            
            
            CNVD: CNVD-2014-07783 // 
            
            
            
            BID: 71760 // 
            
            
            
            JVNDB: JVNDB-2014-007349 // 
            
            
            
            JVNDB: JVNDB-2014-006952 // 
            
            
            
            JVNDB: JVNDB-2014-004043 // 
            
            
            
            CNNVD: CNNVD-201412-505 // 
            
            
            
            CNNVD: CNNVD-201410-871 // 
            
            
            
            NVD: CVE-2014-7486

REFERENCES
url:http://www.kb.cert.org/vuls/id/582497
Trust: 4.1
url:https://docs.google.com/spreadsheets/d/1t5gxwjw82syunalvjb2w0zi3folrikfgpc7amjrf0r4/edit?usp=sharing
Trust: 4.0
url:http://www.fireeye.com/blog/technical/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html
Trust: 1.6
url:http://developer.android.com/training/articles/security-ssl.html
Trust: 1.6
url:http://www.ftc.gov/news-events/press-releases/2014/03/fandango-credit-karma-settle-ftc-charges-they-deceived-consumers
Trust: 1.6
url:http://android-ssl.org/
Trust: 1.6
url:http://android-ssl.org/files/p49.pdf
Trust: 1.6
url:http://android-ssl.org/files/p50-fahl.pdf
Trust: 1.6
url:http://cwe.mitre.org/data/definitions/295.html
Trust: 1.6
url:http://cwe.mitre.org/data/definitions/296.html
Trust: 1.6
url:http://jvn.jp/vu/jvnvu90369988/index.html
Trust: 1.6
url:http://www.kb.cert.org/vuls/id/345425
Trust: 1.6
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-7486
Trust: 1.4
url:http://www.kb.cert.org/vuls/id/1680209
Trust: 1.1
url:http://www.appsgeyser.com/
Trust: 0.8
url:http://jvn.jp/vu/jvnvu95399358/index.html
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-7486
Trust: 0.8
url:https://www.securecoding.cert.org/confluence/pages/viewpage.action;jsessionid=38139e999b01085a7ae8552ac02eac05?pageid=134807561
Trust: 0.8
url:https://www.cert.org/vulnerability-analysis/tools/cert-tapioca.cfm
Trust: 0.8
url:https://www.cert.org/blogs/certcc/post.cfm?entryid=204
Trust: 0.8
url:http://www.ipa.go.jp/about/press/20140919_1.html
Trust: 0.8
url:http://www.securityfocus.com/bid/71760
Trust: 0.6
url:http://www.appsgeyser.com
Trust: 0.3
sources:
            
            
            CERT/CC: VU#1680209 // 
            
            
            
            CERT/CC: VU#582497 // 
            
            
            
            CNVD: CNVD-2014-07783 // 
            
            
            
            BID: 71760 // 
            
            
            
            JVNDB: JVNDB-2014-007349 // 
            
            
            
            JVNDB: JVNDB-2014-006952 // 
            
            
            
            JVNDB: JVNDB-2014-004043 // 
            
            
            
            CNNVD: CNNVD-201412-505 // 
            
            
            
            CNNVD: CNNVD-201410-871 // 
            
            
            
            NVD: CVE-2014-7486

CREDITS
Will Dormann of the CERT/CC
Trust: 0.9
sources:
            
            
            BID: 71760 // 
            
            
            
            CNNVD: CNNVD-201412-505

SOURCES
db:IVDid:c19b48d0-2351-11e6-abef-000c29c66e3d
db:CERT/CCid:VU#1680209
db:CERT/CCid:VU#582497
db:CNVDid:CNVD-2014-07783
db:BIDid:71760
db:JVNDBid:JVNDB-2014-007349
db:JVNDBid:JVNDB-2014-006952
db:JVNDBid:JVNDB-2014-004043
db:CNNVDid:CNNVD-201412-505
db:CNNVDid:CNNVD-201410-871
db:NVDid:CVE-2014-7486

LAST UPDATE DATE
2025-04-13T19:51:21.816000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#1680209date:2015-01-07T00:00:00
db:CERT/CCid:VU#582497date:2016-11-08T00:00:00
db:CNVDid:CNVD-2014-07783date:2014-11-03T00:00:00
db:BIDid:71760date:2014-12-19T00:00:00
db:JVNDBid:JVNDB-2014-007349date:2014-12-24T00:00:00
db:JVNDBid:JVNDB-2014-006952date:2014-12-17T00:00:00
db:JVNDBid:JVNDB-2014-004043date:2014-09-19T00:00:00
db:CNNVDid:CNNVD-201412-505date:2014-12-25T00:00:00
db:CNNVDid:CNNVD-201410-871date:2014-10-22T00:00:00
db:NVDid:CVE-2014-7486date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:c19b48d0-2351-11e6-abef-000c29c66e3ddate:2014-11-03T00:00:00
db:CERT/CCid:VU#1680209date:2014-12-19T00:00:00
db:CERT/CCid:VU#582497date:2014-09-03T00:00:00
db:CNVDid:CNVD-2014-07783date:2014-11-03T00:00:00
db:BIDid:71760date:2014-12-19T00:00:00
db:JVNDBid:JVNDB-2014-007349date:2014-12-24T00:00:00
db:JVNDBid:JVNDB-2014-006952date:2014-12-17T00:00:00
db:JVNDBid:JVNDB-2014-004043date:2014-09-05T00:00:00
db:CNNVDid:CNNVD-201412-505date:2014-12-25T00:00:00
db:CNNVDid:CNNVD-201410-871date:2014-10-22T00:00:00
db:NVDid:CVE-2014-7486date:2014-10-20T10:55:07.920