Full Disclosure mailing list archives
CVE-2018-15898: Subsonic Music Streamer 4.4 (Android) - Improper Certificate Validation
From: Andrew Klaus <andrewklaus () gmail com>
Date: Tue, 4 Sep 2018 19:43:37 -0600
Description: The Subsonic Music Streamer application 4.4 for Android has Improper Certificate Validation of the Subsonic server certificate, which might allow man-in-the-middle attackers to obtain interaction data. Affected Product: Subsonic Music Streamer (Android client) Vendor of Product: Sindre Mehus Version(s) Affected: 4.4 and below (latest as of Sept 4, 2018) CVE: CVE-2018-15898 Status: Still unpatched as of time of writing Vulnerability Type: CWE-295: Improper Certificate Validation Attack Type: Remote Attack Vectors: To exploit the vulnerability, a MITM attacker can provide any untrusted or expired certificate to the client. Discoverer: Andrew Klaus (andrewklaus () gmail com) Mitigation: The only mitigation is to not run over an untrusted network or use an app that does verify the certificate as valid. Another client called Ultrasonic, available on the Play Store and is Free and Open Source, successfully verified the server TLS certificate. Other notes: App hasn't been updated since 2014, so it's unlikely to be updated any time soon, if at all. Timeline: Aug 20, 2018: Contacted developer via official email address mail () subsonic org with no reply Aug 27, 2018: Assigned CVE Sept 4, 2018: Disclosing to Full Disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2018-15898: Subsonic Music Streamer 4.4 (Android) - Improper Certificate Validation Andrew Klaus (Sep 07)