CVE: CVE-2016-6550 - CVE-Search

CVE Details for CVE: CVE-2016-6550

Summary

The U by BB&T app 1.5.4 and earlier for iOS does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Timestamps
Last major update	28-11-2016 - 20:33
Published	05-10-2016 - 01:59
Last modified	28-11-2016 - 20:33

References

Vulnerable Configurations

cpe:2.3:a:bb\&t:the_u:1.5.4:*:*:*:*:iphone_os:*:*
cpe:2.3:a:bb\&t:the_u:1.5.4:*:*:*:*:iphone_os:*:*

CAPEC

Click the CAPEC title to display a description

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

CWE

CWE-310

CVSS

Base

4.3

Impact

4.9

Exploitability

5.5

Access

Vector	Complexity	Authentication
ADJACENT_NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	NONE

CVSS3

Base

5.4

Impact

2.5

Exploitability

2.8

Access

Attack Complexity	Attack vector	Privileges Required	Scope	User Interaction
LOW	ADJACENT_NETWORK	NONE	UNCHANGED	NONE

Impact

Confidentiality	Integrity	Availability
LOW	LOW	NONE

VIA4 references

cvss-vector via4

AV:A/AC:M/Au:N/C:P/I:P/A:N

cvss3-vector via4

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

refmap via4

bid	93259
cert-vn	VU#338624