CVE-2018-0691

15.11.2018, 15:29

Multiple +Message Apps (Softbank +Message App for Android prior to version 10.1.7, Softbank +Message App for iOS prior to version 1.1.23, NTT DOCOMO +Message App for Android prior to version 42.40.2800, NTT DOCOMO +Message App for iOS prior to version 1.1.23, KDDI +Message App for Android prior to version 1.0.6, and KDDI +Message App for iOS prior to version 1.1.23) do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
jpcert	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 34%

Vendor	Product	Version
kddi	\+_message	𝑥 < 1.0.6
ntttocomo	\+_message	𝑥 < 42.40.2800
softbank	\+_message	𝑥 < 10.1.7
kddi	\+_message	𝑥 < 1.1.23
ntt_tocomo	\+_message	𝑥 < 1.1.23
softbank	\+_message	𝑥 < 1.1.23

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-295 - Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate.

References

http://jvn.jp/en/jp/JVN37288228/index.html

https://www.au.com/information/notice_mobile/service/2018-002/

https://www.nttdocomo.co.jp/info/notice/page/180927_00.html

https://www.softbank.jp/mobile/info/personal/news/service/20180927a/

http://jvn.jp/en/jp/JVN37288228/index.html

https://www.au.com/information/notice_mobile/service/2018-002/

https://www.nttdocomo.co.jp/info/notice/page/180927_00.html

https://www.softbank.jp/mobile/info/personal/news/service/20180927a/