Earlier Monday, The Register ran a story about an apparent vulnerability in CyanogenMod that allows for a Man-in-the-Middle (MitM) attack. This article stated that due to code re-using, all devices with CyanogenMod installed on them were vulnerable to such an attack. This went even further to include “many others,” which I am assuming means other ROM cookers. This vulnerability could allow attackers to target any browser being used on this ROM and initiate an attack
The code that was reused was from Oracle sample code for Java 1.5, which had already been reported to be vulnerable to these attacks back in 2012. The researcher that The Register quoted said this:
If you go and create a SSL certificate for a domain you own, say evil.com and in an element of the certificate signing request such as the ‘organization name’ field you put the ‘value,cn=*domain name*, it will be accepted as the valid domain name for the certificate.
Cyanogenmod uses this implementation for its browsers so you can go now and MitM someone’s phone
This, mixed with the fact that CyanogenMod has “more than 10 million users,” according to The Register, makes for kind of a sticky situation.
So what’s the deal?
Let’s break this down and keep it really simple.
What’s a Man-in-the-Middle Attack?
A man-in-the-middle attack is, in it’s most basic form, when someone intercepts a message between two people and then passes it off to the second person like it came from the first person. From here, the person in the middle can change the contents of that message, and the receiver would be none the wiser.
In this particular instance, the website certificate is the message in between two parties: the user and the website. As the researcher was quoted above, a certificate can be passed into this communicated between the user and the website that says that it is from the website. This would allow an attacker access to vital data.
Where does the problem originate?
Since those included in “a tonne of others” were never named, it’s hard to really pinpoint where this problem originated. On one hand, these “others” could be ROM developers who base their code on CyanogenMod. The Register does specifically state that CyanogenMod is the one with the vulnerability, not AOSP.
Since CyanogenMod is based off AOSP, and I suspect these other ROM developers base their code off AOSP, the problem could actually originate upstream in Google’s code, as pointed out by Reddit user dastin1015. Another Reddit user points out that there has been a patch that fixes this issue, which can be seen on CyanogenMod’s github. For comparison, here’s Google’s source.
It looks like CyanogenMod is actually the one with the fix, and Google is the one with the vulnerability.
Who does this affect?
According to the unnamed researcher The Register quoted, CyanogenMod’s 10 million users and “a tonne of others” are affected. That’s a lot of people. However, this isn’t the whole truth. According to PsychoI3oy (the CyanogenMod “bugmonkey”) on CM’s Jira, KitKat no longer uses JSSE, so anyone on Android 4.4+ is not affected.
So since the problem originates in AOSP, that means that about 25% of people will be alright, and that steps are already being taken to fix this. However, that leaves about 75% of people affected: from the few people still running Froyo all the way to 4.3 Jellybean.
I’m sure this will be sorted out in the coming days. Just make sure to update to the newest nightly when the CyanogenMod team issues a fix for those devices that are affected. As for people running stock Android 4.3 and below, it looks like the ball is in Google’s court now.
Source: The Register