Advisory: Intel Crosswalk SSL Prompt Issue [CVE 2016-5672]

Summary

The Intel Crosswalk Project library for cross-platform mobile development did not properly handle SSL errors. This behaviour could subject applications developed using this library to SSL MITM attacks.

Vulnerability Details

The Crosswalk Project, created by Intel’s Open Source Technology Center, allows mobile developers to use HTML, CSS and Javascript to develop and deploy mobile apps across multiple platforms from the same codebase. The library packages the HTML assets provided by the developer and runs them inside a WebView on the device. The library also bridges some of the common APIs and services from the Javascript code in the WebView to the underlying platform. The project supports deployment to iOS, Windows Phone and Android. It is implemented in multiple apps, some of which can be found here.

For the Android implementation of CrossWalk – when an invalid or self-signed SSL certificate is used during communication with the server, the underlying library displays a prompt to the user asking them to grant permission or deny permission to this certificate. If the user allows the certificate, that choice is remembered going forward and from that point in, all subsequent requests with invalid SSL certificates are accepted by the application, and are not rechecked. This applies even to connections over different WiFi hotspots and different certificates. This may allow a network-level attacker to mount MITM attack using invalid SSL certificate and capture sensitive data.

screenshot_crosswalk
Example of error dialog

The fix changes the behaviour to generate a programmatic error message not visible to the user  about an invalid SSL certificate. This issue has been fixed in the following versions of Crosswalk and all users of the library are encouraged to upgrade:

  • 19.49.514.5 (stable)
  • 20.50.533.11 (beta)
  • 21.51.546.0 (beta)
  • 22.51.549.0 (canary)

This issue was originally discovered while testing a third-party Android app using this library.

References

CERT/CC tracking: VR-180
CERT/CC vulnerability note: VU#217871
Crosswalk bug report: XWALK-6986
Crosswalk security advisory: see here
CVE ID: CVE-2016-5672
Intel blog: see post here

Credits

Thank you to CERT/CC for coordination on this issue, and to the Intel Open Source Technology Center for the fix. Bug discovered and advisory written by Yakov Shafranovich.

Timeline

2016-05-25: Reported issue to the Intel PSIRT, got an automated reply
2016-05-30: Reached out to CERT/CC for help reaching Intel
2016-06-01: Request from CERT/CC for more details, provided details via secure form
2016-06-15: Response from CERT/CC that Intel is planning a fix within 45 days
2016-06-23: Direct contact from Intel
2016-07-01: Asking CERT/CC to reserve a CVE, CERT/CC assigns a CVE
2016-07-22: Intel fix is finished and ready for testing
2016-07-25: We confirm the fix and coordinate disclosure dates
2016-07-29: Coordinated public disclosure

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s