[Japanese]

JVNDB-2011-000053

Android vulnerability where an incorrect SSL certificate is displayed

Overview

Android OS contains a vulnerability where an incorrect SSL certificate is displayed.

Android OS contains a vulnerability where a SSL certificate from an outside site is displayed when a user attempts to display a SSL certificate from a site that reads in contents from an outside site.

Shuhei Ohtani of Business information govern CO., LTD reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


Google
  • Android OS versions prior to 2.2

Impact

An attacker may trick the user into believing the site being visited is safe, which may lead to phishing attacks.
Solution

[For Mobile Device Developers]
Apply the update according to the information provided by Google.

[For Mobile Device Users]
For more information, please refer to the "Vendor Information" below.

This issue has been resolved in Android OS 2.2.
Vendor Information

Google Panasonic Corporation
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2010-4832
References

  1. JVN : JVN#43105011
  2. National Vulnerability Database (NVD) : CVE-2010-4832
  3. Related document : b/2511635 Browser displays incorrect SSL cert information
Revision History

[2011/07/29]
  Web page published
[2011/08/15]
  Vendor Information : Panasonic (Software Download)
[2014/05/19]
  References : Contents were added