ID

VAR-201608-0085

CVE

CVE-2016-5672

TITLE

Intel CrossWalk project does not validate SSL certificates after first acceptance

DESCRIPTION

Intel Crosswalk before 19.49.514.5, 20.x before 20.50.533.11, 21.x before 21.51.546.0, and 22.x before 22.51.549.0 interprets a user's acceptance of one invalid X.509 certificate to mean that all invalid X.509 certificates should be accepted without prompting, which makes it easier for man-in-the-middle attackers to spoof SSL servers and obtain sensitive information via a crafted certificate. Intel Crosswalk Project Is Android and iOS A framework for developing hybrid apps Crosswalk Project Is illegal SSL There is a problem in the processing when the user accepts the server certificate, and the application SSL Validation of all server certificates may be hindered. Issue that does not warn the user that the operation is unsafe (CWE-356) - CVE-2016-5672 Fraudulent SSL If a server certificate is detected, Crosswalk Project Apps created using show an error message. The user gets this error message "OK" If you select, the app SSL Server certificate verification will not be performed. The error message indicates that the app is permanently SSL It is not clearly stated that the server certificate will no longer be verified, and the same message will not be displayed again. CWE-356: Product UI does not Warn User of Unsafe Actions http://cwe.mitre.org/data/definitions/356.html Researchers are releasing more detailed information as security advisories. Also, Intel Corporation Has also created a blog post about this issue. Security advisory https://wwws.nightwatchcybersecurity.com/2016/07/29/advisory-intel-crosswalk-ssl-prompt-issue/ Blog post http://blogs.intel.com/evangelists/2016/07/28/crosswalk-security-vulnerability/Once you set to allow unauthorized server certificates, SSL Man-in-the-middle attacks where all server certificates are no longer verified (man-in-the-middle attack) May be done. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. The issue is fixed in following versions: Intel Crosswalk 19.49.514.5, 20.50.533.11, 21.51.546.0, and 22.51.549.0. Intel Crosswalk is a set of Web engines developed by Intel Corporation of the United States. [Original at: https://wwws.nightwatchcybersecurity.com/2016/07/29/advisory-intel-crosswalk-ssl-prompt-issue/] Summary The Intel Crosswalk Project library for cross-platform mobile development did not properly handle SSL errors. This behaviour could subject applications developed using this library to SSL MITM attacks. Vulnerability Details The Crosswalk Project, created by Intels Open Source Technology Center, allows mobile developers to use HTML, CSS and Javascript to develop and deploy mobile apps across multiple platforms from the same codebase. The library packages the HTML assets provided by the developer and runs them inside a WebView on the device. The library also bridges some of the common APIs and services from the Javascript code in the WebView to the underlying platform. It is implemented in multiple apps, some of which can be found here. This applies even to connections over different WiFi hotspots and different certificates. This may allow a network-level attacker to mount MITM attack using invalid SSL certificate and capture sensitive data. This issue has been fixed in the following versions of Crosswalk and all users of the library are encouraged to upgrade: - 19.49.514.5 (stable) - 20.50.533.11 (beta) - 21.51.546.0 (beta) - 22.51.549.0 (canary) This issue was originally discovered while testing a third-party Android app using this library. References CERT/CC vulnerability note: https://www.kb.cert.org/vuls/id/217871 Crosswalk security advisory: https://lists.crosswalk-project.org/pipermail/crosswalk-help/2016-July/002167.html CVE - CVE-2016-5672: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5672 Intel blog post: https://blogs.intel.com/evangelists/2016/07/28/crosswalk-security-vulnerability/ Credits Thank you to CERT/CC for coordination on this issue, and to the Intel Open Source Technology Center for the fix. Timeline 2016-05-25: Reported issue to the Intel PSIRT, got an automated reply 2016-05-30: Reached out to CERT/CC for help reaching Intel 2016-06-01: Request from CERT/CC for more details, provided details via secure form 2016-06-15: Response from CERT/CC that Intel is planning a fix within 45 days 2016-06-23: Direct contact from Intel 2016-07-01: Asking CERT/CC to reserve a CVE, CERT/CC assigns a CVE 2016-07-22: Intel fix is finished and ready for testing 2016-07-25: We confirm the fix and coordinate disclosure dates 2016-07-29: Coordinated public disclosure

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

encryption problem

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Nightwatch Cybersecurity Research

SOURCES

LAST UPDATE DATE

2025-04-13T23:17:53.076000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE