At the Ruxcon Security Conference in Australia, an unnamed security researcher revealed that CyanogenMod developers “copy-pasted” Oracle’s “sample code for Java 1.5” could exposed Android devices with CyanogenMod at risk of man-in-the-middle attacks. The researcher decided to disclose the zero-day in CyanogenMod after he tried ethically to info CyanogenMod that did not respond. The expert described the fix as “fairly simple,” adding that “the exposure served as an academic exercise in the perils of code reuse.”
As warned by the expert, installing CyanogenMod on Android device, then the user’s device is vulnerable to a zero-day blamed on code re-use.
“If you go and create a SSL certificate for a domain you own, say evil.com and in an element of the certificate signing request such as the ‘organization name’ field you put the ‘value,cn=*domain name*, it will be accepted as the valid domain name for the certificate.” explained the researcher. “Cyanogenmod uses this implementation for its browsers so you can go now and MitM someone’s phone.”
The researcher highlights the improper validation of SSL certificates made by the mobile devices which fail to perform the certificate pinning procedure when establishing a trusted connection to the service provider. The failure of the certificate pinning procedure exposes users to the risk of MitM attacks and consequent theft of sensitive information.
The expert warned that CyanogenMod and a “ton of others” OS installations reused flawed code that was reported to have SSL vulnerabilities back in 2012. Unfortunately, also the last version CM 11.0 M11 that was released October 8th hasn’t fixed the flaw and CyanogenMod hasn’t provided a reply on the yet to respond to the zero-day allegation.
The experts consider this vulnerability critical due to the large number of CyanogenMod installations worldwide, which according the official statistics are more than 10 million as of December 2013.
Code re-use is a very common practice within development community, but in many cases it could act as vector for old vulnerability due to not accurate repackaging of source code.
“I was looking at HTTP component code and I was thinking I had seen this code before,” the researcher said. “They just copy-pasted the sample code and that’s what was vulnerable. “I checked on GitHub and found out a tonne of others were using it.”
Let’s wait for the reply of CyanogenMod.
(Security Affairs – CyanogenMod, Android)