CVE-2016-7812

Vulnerability

The Bank of Tokyo-Mitsubishi UFJ, Ltd. App for Android versions 5.3.1, 5.2.2 and earlier attempts to communicate with the server via TLS v1.2. However, if the server responds indicating SSL v3.0, the app falls back to SSL v3.0, which is vulnerable to the POODLE attack (CWE-757). This vulnerability allows a man-in-the-middle attacker to downgrade the encryption protocol.[1]

Exploitation

An attacker with man-in-the-middle network position can exploit this vulnerability by intercepting the TLS handshake and responding with a signal to downgrade to SSL v3.0. Once the connection uses SSL v3.0, the attacker can leverage the POODLE attack to decrypt the encrypted communication. No authentication or user interaction is required beyond the app's normal operation.[1]

Impact

Successful exploitation allows the attacker to eavesdrop on encrypted communications between the app and the server. This could lead to disclosure of sensitive information such as account details or transaction data. The CVSS v3 base score is 3.1 (Low) with a confidentiality impact of Low and no integrity or availability impact.[1]

Mitigation

Users should update the app to the latest version provided by The Bank of Tokyo-Mitsubishi UFJ, Ltd. The vendor has released an update to address this issue. No other workarounds are documented.[1]