[Japanese]

JVNDB-2024-000060

Multiple vulnerabilities in "FreeFrom - the nostr client" App

Overview

"FreeFrom - the nostr client" App provided by FreeFrom K.K. contains multiple vulnerabilities listed below.
  • Improper verification of cryptographic signature (CWE-347) - CVE-2024-36277

  • Reliance on obfuscation or encryption of security-relevant inputs without integrity checking (CWE-649) - CVE-2024-36279

  • Reusing a nonce, key pair in encryption (CWE-323) - CVE-2024-36289


The people listed below reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Hayato Kimura of University of Hyogo
Ryoma Ito of National Institute of Information and Communications Technology (NICT)
Kazuhiko Minematsu of NEC Corporation/Yokohama National University
Takanori Isobe of University of Hyogo
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-36277

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-36279

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-36289
Affected Products


FreeFrom K.K.
  • "FreeFrom - the nostr client" App for Android versions prior to 1.3.5
  • "FreeFrom - the nostr client" App for iOS versions prior to 1.3.5

Impact

  • The affected app cannot detect event data with invalid signatures (CVE-2024-36277)

  • The content of direct messages (DMs) between users may be manipulated by a man-in-the-middle attack (CVE-2024-36279, CVE-2024-36289)
Solution

[Update the application]
Update the application to the latest version according to the information provided by the developer.
Vendor Information

FreeFrom K.K.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-36277
  2. CVE-2024-36279
  3. CVE-2024-36289
References

  1. JVN : JVN#55045256
Revision History

  • [2024/06/07]
      Web page was published

Date Public2024/06/07
Date First Published2024/06/07
Date Last Updated2024/06/07