Vulnerability-Lookup

CNVD-2017-25889

Vulnerability from cnvd - Published: 2017-09-11

Title

RBB SPEED TEST App fails to verify SSL server certificates

Description

IID RBB SPEED TEST App for Android和IID RBB SPEED TEST App for iOS都是日本IID公司的产品。IID RBB SPEED TEST App for Android是一款基于Android平台的数据流量测量应用程序。该程序能够测量一定时间之内与服务器的数据交换的平均吞吐量，IID RBB SPEED TEST App for iOS是它的iOS版本。基于Android平台的RBB SPEED TEST App 2.0.3及之前版本和基于iOS平台的RBB SPEED TEST App 2.1.0及之前的版本中存在安全漏洞，该漏洞源于程序未能验证SSL服务器端的X.509证书。攻击者可借助特制的证书利用该漏洞伪造服务器，实施中间人攻击，获取敏感信息。

Severity

中

Patch Name

RBB SPEED TEST App fails to verify SSL server certificates的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： http://speed.rbbtoday.com/

Reference

http://jvn.jp/en/jp/JVN24238648/

Impacted products

Name
['IID, Inc. RBB SPEED TEST App for Android <=2.0.3', 'IID, Inc. RBB SPEED TEST App for iOS <=2.1.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-2278"
    }
  },
  "description": "IID RBB SPEED TEST App for Android\u548cIID RBB SPEED TEST App for iOS\u90fd\u662f\u65e5\u672cIID\u516c\u53f8\u7684\u4ea7\u54c1\u3002IID RBB SPEED TEST App for Android\u662f\u4e00\u6b3e\u57fa\u4e8eAndroid\u5e73\u53f0\u7684\u6570\u636e\u6d41\u91cf\u6d4b\u91cf\u5e94\u7528\u7a0b\u5e8f\u3002\u8be5\u7a0b\u5e8f\u80fd\u591f\u6d4b\u91cf\u4e00\u5b9a\u65f6\u95f4\u4e4b\u5185\u4e0e\u670d\u52a1\u5668\u7684\u6570\u636e\u4ea4\u6362\u7684\u5e73\u5747\u541e\u5410\u91cf\uff0cIID RBB SPEED TEST App for iOS\u662f\u5b83\u7684iOS\u7248\u672c\u3002\r\n\r\n\u57fa\u4e8eAndroid\u5e73\u53f0\u7684RBB SPEED TEST App 2.0.3\u53ca\u4e4b\u524d\u7248\u672c\u548c\u57fa\u4e8eiOS\u5e73\u53f0\u7684RBB SPEED TEST App 2.1.0\u53ca\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u9a8c\u8bc1SSL\u670d\u52a1\u5668\u7aef\u7684X.509\u8bc1\u4e66\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684\u8bc1\u4e66\u5229\u7528\u8be5\u6f0f\u6d1e\u4f2a\u9020\u670d\u52a1\u5668\uff0c\u5b9e\u65bd\u4e2d\u95f4\u4eba\u653b\u51fb\uff0c\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "DigiGnome",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttp://speed.rbbtoday.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-25889",
  "openTime": "2017-09-11",
  "patchDescription": "IID RBB SPEED TEST App for Android\u548cIID RBB SPEED TEST App for iOS\u90fd\u662f\u65e5\u672cIID\u516c\u53f8\u7684\u4ea7\u54c1\u3002IID RBB SPEED TEST App for Android\u662f\u4e00\u6b3e\u57fa\u4e8eAndroid\u5e73\u53f0\u7684\u6570\u636e\u6d41\u91cf\u6d4b\u91cf\u5e94\u7528\u7a0b\u5e8f\u3002\u8be5\u7a0b\u5e8f\u80fd\u591f\u6d4b\u91cf\u4e00\u5b9a\u65f6\u95f4\u4e4b\u5185\u4e0e\u670d\u52a1\u5668\u7684\u6570\u636e\u4ea4\u6362\u7684\u5e73\u5747\u541e\u5410\u91cf\uff0cIID RBB SPEED TEST App for iOS\u662f\u5b83\u7684iOS\u7248\u672c\u3002\r\n\r\n\u57fa\u4e8eAndroid\u5e73\u53f0\u7684RBB SPEED TEST App 2.0.3\u53ca\u4e4b\u524d\u7248\u672c\u548c\u57fa\u4e8eiOS\u5e73\u53f0\u7684RBB SPEED TEST App 2.1.0\u53ca\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u9a8c\u8bc1SSL\u670d\u52a1\u5668\u7aef\u7684X.509\u8bc1\u4e66\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684\u8bc1\u4e66\u5229\u7528\u8be5\u6f0f\u6d1e\u4f2a\u9020\u670d\u52a1\u5668\uff0c\u5b9e\u65bd\u4e2d\u95f4\u4eba\u653b\u51fb\uff0c\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "RBB SPEED TEST App fails to verify SSL server certificates\u7684\u8865\u4e01",
  "products": {
    "product": [
      "IID, Inc. RBB SPEED TEST App for Android \u003c=2.0.3",
      "IID, Inc. RBB SPEED TEST App for iOS \u003c=2.1.0"
    ]
  },
  "referenceLink": "http://jvn.jp/en/jp/JVN24238648/",
  "serverity": "\u4e2d",
  "submitTime": "2017-07-25",
  "title": "RBB SPEED TEST App fails to verify SSL server certificates"
}

CVE-2017-2278 (GCVE-0-2017-2278)

Vulnerability from cvelistv5 – Published: 2017-08-02 16:00 – Updated: 2024-08-05 13:48

Summary

The RBB SPEED TEST App for Android version 2.0.3 and earlier, RBB SPEED TEST App for iOS version 2.1.0 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Severity ?

No CVSS data available.

CWE

Fails to verify SSL certificates

Assigner

jpcert

References

URL

Tags

	http://www.iid.co.jp/information/170714.html	x_refsource_MISC
	https://jvn.jp/en/jp/JVN24238648/index.html	third-party-advisoryx_refsource_JVN

Impacted products

Vendor

Product

Version

IID, Inc.

RBB SPEED TEST App for Android

Affected: version 2.0.3 and earlier

IID, Inc.

RBB SPEED TEST App for iOS

Affected: version 2.1.0 and earlier

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T13:48:05.219Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.iid.co.jp/information/170714.html"
          },
          {
            "name": "JVN#24238648",
            "tags": [
              "third-party-advisory",
              "x_refsource_JVN",
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN24238648/index.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "RBB SPEED TEST App for Android",
          "vendor": "IID, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "version 2.0.3 and earlier"
            }
          ]
        },
        {
          "product": "RBB SPEED TEST App for iOS",
          "vendor": "IID, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "version 2.1.0 and earlier"
            }
          ]
        }
      ],
      "datePublic": "2017-08-02T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The RBB SPEED TEST App for Android version 2.0.3 and earlier, RBB SPEED TEST App for iOS version 2.1.0 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Fails to verify SSL certificates",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-02T15:57:02",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.iid.co.jp/information/170714.html"
        },
        {
          "name": "JVN#24238648",
          "tags": [
            "third-party-advisory",
            "x_refsource_JVN"
          ],
          "url": "https://jvn.jp/en/jp/JVN24238648/index.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2017-2278",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "RBB SPEED TEST App for Android",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "version 2.0.3 and earlier"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "RBB SPEED TEST App for iOS",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "version 2.1.0 and earlier"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "IID, Inc."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The RBB SPEED TEST App for Android version 2.0.3 and earlier, RBB SPEED TEST App for iOS version 2.1.0 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Fails to verify SSL certificates"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.iid.co.jp/information/170714.html",
              "refsource": "MISC",
              "url": "http://www.iid.co.jp/information/170714.html"
            },
            {
              "name": "JVN#24238648",
              "refsource": "JVN",
              "url": "https://jvn.jp/en/jp/JVN24238648/index.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2017-2278",
    "datePublished": "2017-08-02T16:00:00",
    "dateReserved": "2016-12-01T00:00:00",
    "dateUpdated": "2024-08-05T13:48:05.219Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-25889

CVE-2017-2278 (GCVE-0-2017-2278)

Tags

Sightings

Nomenclature