#VU65650 Man-in-the-Middle (MitM) attack in OkHttp - CVE-2016-2402

Cybersecurity Help s.r.o.

Published: 2022-07-21

Vulnerability identifier: #VU65650

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-2402

CWE-ID: CWE-300

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OkHttp
Mobile applications / Libraries for mobile applications

Vendor: Square

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to an unspecified error. A remote attacker can send a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate to bypass certificate pinning.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OkHttp: 2.7.0 - 2.7.3, 3.1.0 - 3.1.1

External links
https://www.openwall.com/lists/oss-security/2016/02/10/8
https://www.openwall.com/lists/oss-security/2016/02/18/7
https://koz.io/pinning-cve-2016-2402/
https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)

Multiple vulnerabilities in IBM PureData System for Operational Analytics

Fedora 23 update for okhttp, okio