The Intel Crosswalk Project library for cross-platform mobile development did not properly handle SSL errors. This behaviour could subject applications developed using this library to SSL MITM attacks.
For the Android implementation of CrossWalk – when an invalid or self-signed SSL certificate is used during communication with the server, the underlying library displays a prompt to the user asking them to grant permission or deny permission to this certificate. If the user allows the certificate, that choice is remembered going forward and from that point in, all subsequent requests with invalid SSL certificates are accepted by the application, and are not rechecked. This applies even to connections over different WiFi hotspots and different certificates. This may allow a network-level attacker to mount MITM attack using invalid SSL certificate and capture sensitive data.
The fix changes the behaviour to generate a programmatic error message not visible to the user about an invalid SSL certificate. This issue has been fixed in the following versions of Crosswalk and all users of the library are encouraged to upgrade:
- 19.49.514.5 (stable)
- 20.50.533.11 (beta)
- 21.51.546.0 (beta)
- 22.51.549.0 (canary)
This issue was originally discovered while testing a third-party Android app using this library.
CERT/CC tracking: VR-180
CERT/CC vulnerability note: VU#217871
Crosswalk bug report: XWALK-6986
Crosswalk security advisory: see here
CVE ID: CVE-2016-5672
Intel blog: see post here
Thank you to CERT/CC for coordination on this issue, and to the Intel Open Source Technology Center for the fix. Bug discovered and advisory written by Yakov Shafranovich.
2016-05-25: Reported issue to the Intel PSIRT, got an automated reply
2016-05-30: Reached out to CERT/CC for help reaching Intel
2016-06-01: Request from CERT/CC for more details, provided details via secure form
2016-06-15: Response from CERT/CC that Intel is planning a fix within 45 days
2016-06-23: Direct contact from Intel
2016-07-01: Asking CERT/CC to reserve a CVE, CERT/CC assigns a CVE
2016-07-22: Intel fix is finished and ready for testing
2016-07-25: We confirm the fix and coordinate disclosure dates
2016-07-29: Coordinated public disclosure