Overview
Ignite Realtime's Smack XMPP API ServerTrustManger trusts unauthorized SSL certificates (CWE-358) and IQ requests do not verify the from attribute allowing anyone to spoof IQ responses. (CWE-345)
Description
CWE-358: Improperly Implemented Security Check for Standard - CVE-2014-0363 The implementation of ServerTrustManger in Smack API version 3.4.1, and possibly earlier versions, does not properly verify the basicConstraints and nameConstraints of a certificate within a certificate chain. |
Impact
A remote unauthenticated attacker may be able to perform a man-in-the-middle attack, add roster entries or spoof IQ responses. |
Solution
Apply an Update |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 5.7 | AV:A/AC:M/Au:N/C:C/I:N/A:N |
| Temporal | 4.5 | E:POC/RL:OF/RC:C |
| Environmental | 5.5 | CDP:LM/TD:M/CR:H/IR:L/AR:L |
References
Acknowledgements
Thanks to Ryan Sleevi for identifying the vulnerability in ServerTrustManager and Thijs Alkemade for identifying the IQ validation vulnerability and Florian Schmaus for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
| CVE IDs: | CVE-2014-0363, CVE-2014-0364 |
| Date Public: | 2014-04-29 |
| Date First Published: | 2014-04-29 |
| Date Last Updated: | 2014-04-29 14:11 UTC |
| Document Revision: | 16 |