[Japanese]

JVNDB-2015-000116

Japan Connected-free Wi-Fi vulnerable to script injection

Overview

Japan Connected-free Wi-Fi provided by NTT Broadband Platform, Inc. is vulnerable to script injection when displaying malformed strings contained in SSID.

Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 5.4 (Medium) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


NTT Broadband Platform, Inc.
  • Japan Connected-free Wi-Fi for Android 1.6.0 and earlier
  • Japan Connected-free Wi-Fi for iOS 1.0.2 and earlier

Impact

When the device running the app connects to an access point and its SSID contains malicious script, the script may be executed.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

NTT Broadband Platform, Inc.
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-5630
References

  1. JVN : JVN#41048401
  2. National Vulnerability Database (NVD) : CVE-2015-5630
Revision History

[2015/09/11]
  Web page was published
[2015/09/15]
  References : Content was added