CVE-2014-5960

Vulnerability

The BundesArztsuche (de.kbv.bas) application version 1.0.1 for Android does not properly validate X.509 certificates presented by SSL/TLS servers. This means that when the app establishes an HTTPS connection, it does not verify that the certificate chain is signed by a trusted root certificate authority. The flaw affects the specific version 1.0.1, as described in the official CVE summary [1].

Exploitation

An attacker positioned on the same network as the Android device (e.g., a malicious Wi-Fi hotspot or through ARP spoofing) can perform a man-in-the-middle attack. The attacker presents a crafted certificate to the application, which the app accepts without validation. This allows the attacker to intercept and potentially modify HTTPS traffic between the app and the intended server. No additional authentication or user interaction beyond launching the app is required [1].

Impact

Successful exploitation enables the attacker to read (information disclosure) and possibly modify sensitive data that the BundesArztsuche app sends or receives. The exact impact depends on the data handled by the app, but could include exposure of personal health information or other private user data. The attacker gains the ability to spoof the legitimate server and obtain sensitive information [1].

Mitigation

The CERT/CC advisory recommends not using affected applications when equivalent functionality is available via a web browser, as browser-based access typically uses proper SSL validation by the operating system. As of the publication date, no official patch or updated version of the BundesArztsuche app has been identified in the available references to address the certificate validation flaw [1].