Improper validation of certificates within the iOS application

Aug 10, 2020

Improper validation of certificates within the iOS application

Platform: Mobile Clients

Versions: iOS 3.4.4,

Date: 8/31/2015

Risk level: High

CVSS v2 Base Score: 7.8 (AV:A/AC:L/Au:N/C:C/I:C/A:N)

CWE: Improper Validation of Certificate with Host Mismatch (CWE-297)

Description

The ownCloud iOS Library was vulnerable against a remotely exploitable certification problem until version 1.1.2. The vulnerable library version is used by the official ownCloud iOS client until version 3.4.4.

Specifically it has been discovered that the used networking library (AFNetworking) is per default not ensuring whether the host-specific data (i.e. the Common Name (“CN”) of the certificate) is actually associated with the connected remote host.

This effectively allows MITM (Man-in-the-Middle) attacks, allowing adversaries in such a position to intercept the traffic of the application using the ownCloud iOS Library.

ownCloud highly advises users to update affected clients as soon as possible to ensure data integrity and confidentiality. Third-party developers using the ownCloud iOS Library are encouraged to update the library and provide users with updated client versions.

Affected Software

  • ownCloud Mobile < iOS 3.4.4 (CVE-2015-3996 (Note: This is the upstream CVE for the responsible AFNetworking issue))

Action Taken

The vulnerable library has been updated.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – ownCloud Inc. (lukas@owncloud.com) – Vulnerability discovery and disclosure.

Your secure file platform

Boost your productivity and enable collaboration within your organization. 

Install Server

The backbone of secure file sharing

Start Online

Our software as a service solution. Hosted securely in Germany.
Ready in a glimpse.

Download Mobile Apps

Bring your productivity game to the next level. Download our Android or iOS app from the app stores.