CVE-2014-6921

Vulnerability

The Buckhorn Grill (com.orderingapps.buckhorn) application version 2.8 for Android does not properly validate X.509 certificates from SSL servers [1]. This means the app accepts any certificate presented during an HTTPS connection, including self-signed or malicious certificates. The app is listed among many Android applications that fail dynamic SSL validation testing [2].

Exploitation

An attacker with network access (e.g., on the same Wi-Fi network) can perform a man-in-the-middle attack by presenting a crafted certificate to the app. The app will accept the fraudulent certificate and establish an HTTPS connection with the attacker's server instead of the legitimate server. No user interaction beyond normal app usage is required.

Impact

Successful exploitation allows the attacker to view or modify network traffic that should have been protected by HTTPS. This can lead to disclosure of sensitive information such as login credentials, personal data, or payment details. The impact varies based on what the app transmits.

Mitigation

As of the publication date (2014-10-04), no fix has been released. Users are advised to avoid using the Buckhorn Grill app and instead access the service via a web browser, which typically uses the device's built-in SSL validation [1]. The app may be removed or replaced with a secure version if available. No CVE KEV listing is known.