| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Dec 2013 09:29:05 +0100 From: mailing lists <lists@....cc> To: bugtraq@...urityfocus.com Subject: [CVE-2013-5112] Evernote Android Insecure Storage of PIN data / Bypass of PIN protection Evernote Android Insecure Storage of PIN data / Bypass of PIN protection Product: Evernote (Android) Project Homepage: evernote.com Internal Advisory ID: c22-2013-03 / c22-2013-04 Vulnerable Version(s): Android version 5.5.0 (and prior) Tested Version: Android 5.x (Android 4.2/4.3) Vendor Notification: Aug 13, 2013 Public Disclosure: December 07, 2013 Vulnerability Type: Authentication Bypass Issues [CWE-592] CVE Reference: CVE-2013-5112 Issue Severity: Important impact CVSSv2 Base Score: 6.6 (AV:L/AC:L/AU:N/C:C/I:C/A:N) Discovery: Chris John Riley ( http://blog.c22.cc ) Advisory Details: Effected versions of Evernote on the Android platform allow for users with limited access via the ADB (Android Debug Bridge) interface of an Android device (USB debugging enabled, no root access required) to perform backup and restore of applications and application data. The ADB backup functionality requires an Android device running the Ice-Cream Sandwich version of Android (4.x) or above. Evernote Premium on Android allows the user to set PIN protection on the the Android container to prevent unauthorized access in the event the device is lost or stolen. Due to the way recent versions of Android implements the backup and restore process, the implemented PIN protection can be avoided and entirely bypassed to allow attackers the ability to clear or recover the PIN from application settings data stored in com.evernote_preferences.xml. Using a simple process, it is possible for an attacker with physical access to a device to backup the Evernote Android container and either recvoerd the PIN (encoded with a simele XOR encryption) or remove any PIN protections present on the application container. The result of this attack is the exposure of any data stored within the Evernote Android container acquired by an attacker. Impact: Attackers can extract and possibly maintain access to a user's Evernote data from a lost or stolen device. Evernote have released a new version to the Google Play store that corrects these issue by disabling the ability to perform an ADB backup of the Evernote container. Additional changes have been made to the way Evernote stores the PIN within the XML configuration file. It has been confirmed that the version 5.5.1 is no longer directly susceptible to this attack method. References: At this time Evernote have not provided an advisory discussing the issue http://blog.c22.cc/2013/09/05/a-sneak-peak-into-android-secure-containers-2 http://blog.c22.cc/2013/08/01/bsideslv-android-backup-unpacker-release Vulnerability Timeline: May, 2013 - Initial discovery of vulnerability Aug 13, 2013 - Evernote contacted with request for secure communications Aug 13, 2013 - Response from Evernote setting up secure communications Aug 13, 2013 - Details reported to Evernote Aug 15, 2013 - Response from Evernote confirming issues being examined Aug 16, 2013 - CVE numbers sent to Evernote Aug 27, 2013 - Name added to Evernote acknowledgements page Nov 13, 2013 - Requested update from Evernote Nov 15, 2013 - Response from Evernote - issues still being tracked Nov 22, 2013 - Confirmation of fix for XOR PIN Nov 25, 2013 - Asked for confirmation on other issues Nov 25, 2013 - Confirmation that both issues had been address in 5.5.1 Dec 07, 2013 - Advisory released (delayed)
Powered by blists - more mailing lists