[Japanese]

JVNDB-2012-000037

sp mode mail issue in the verification of SSL certificates

Overview

sp mode mail contains an issue in the verification of the SSL server certificate.

sp mode mail provided by NTT DOCOMO contains an issue in the verification of the SSL server certificate.

Tsukasa Hamano of Open Source Solution Technology Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


NTT DOCOMO, INC.
  • sp mode mail version 5400 and earlier

According to the developer, only sp mode mail applications for Android are affected.
Impact

Since no warning is issued when connecting to a server that is using an invalid SSL server certificate, a remote attacker may be able to intercept communications.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.
Vendor Information

NTT DOCOMO, INC.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2012-1244
References

  1. JVN : JVN#82029095
  2. National Vulnerability Database (NVD) : CVE-2012-1244
Revision History

[2012/04/26]
  Web page was published