[Japanese]

JVNDB-2016-000076

Japan Connected-free Wi-Fi vulnerable to API execution

Overview

Japan Connected-free Wi-Fi provided by NTT Broadband Platform, Inc. contains a vulnerability which allows an arbitrary API to be executed by a man-in-the-middle attacker.

Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.6 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 5.1 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


NTT Broadband Platform, Inc.
  • Japan Connected-free Wi-Fi for Android 1.15.1 and earlier
  • Japan Connected-free Wi-Fi for iOS 1.13.0 and earlier that have not applied the contents update provided on April 26, 2016

Impact

Android version of this app may allow an arbitrary API to be executed if permissions to execute that API are granted in the android manifest.
iOS version of this app may allow an arbitrary API to be executed.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

NTT Broadband Platform, Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2016-4811
References

  1. JVN : JVN#46888319
  2. National Vulnerability Database (NVD) : CVE-2016-4811
Revision History

  • [2016/05/27]
      Web page was published
    [2016/06/23]
      References : Content was added

Date Public2016/05/27
Date First Published2016/05/27
Date Last Updated2016/06/23