CVE-2018-0622

Vulnerability

The DHC Online Shop App for Android version 3.2.0 and earlier does not verify X.509 certificates from SSL servers. This means the app accepts any certificate presented by a server, including self-signed or forged certificates, without validating them against a trusted certificate authority. The vulnerability exists in the SSL/TLS implementation of the app and requires no special configuration to be triggered.

Exploitation

An attacker must be in a position to intercept network traffic between the app and the legitimate server (man-in-the-middle). The attacker can present a crafted certificate (e.g., self-signed) to the app, which will be accepted due to the lack of certificate verification. No user interaction or authentication is required beyond the app being used over a network the attacker controls.

Impact

Successful exploitation allows the attacker to eavesdrop on encrypted communications between the user and the server, potentially capturing sensitive information such as login credentials, personal data, or payment details. The confidentiality and integrity of the communication are compromised, as the attacker can both read and modify the data in transit.

Mitigation

The developer, DHC Corporation, recommends updating to the latest version of the app as per their advisory [1]. The fixed version is not explicitly specified in the available references, but users should ensure they are using a version newer than 3.2.0. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.