back to article Android's Cyanogenmod open to MitM attacks

More than 10 million users of the popular Cyanogen build of Android are exposed to man-in-the-middle (MitM) attacks thanks to reuse of vulnerable sample code. The zero day vulnerability makes it possible to target any browser used on the popular Android distribution. A security researcher who works for a top-tier vendor, but …

  1. dotdavid

    "The researcher responsibly disclosed the flaw to affected providers but had no luck with Cyanogenmod maintainers"

    Let me guess, he approached some key developers directly and got no response? I suspect they get a lot of time-wasting contact from people who claim to have found vulnerabilities, and being a small firm probably don't really have the resources to deal with every out-of-channel bug report, so probably ignore them all unless they're from people they recognise.

    Perhaps there should be a way of submitting bugs to their public bug tracker (which I think is Jira) in such a way that only the development team get to initially see the bug, to aid in responsible disclosure of security issues. Or is there such a way already?

    As for the vulnerability itself, at least we'll get a flashable patch in a couple of days. That proves the benefits of CM over manufacturer firmware if anything does.

    1. dotdavid

      As I appear to have the first comment post, and The Register haven't updated the article, here is a link to Cyanogen Inc's response.

      Of particular note to me is that it doesn't actually effect CM11 (the latest version) as the code isn't in Android KitKat, and is upstream in Google's earlier code anyway. Storm in a teacup.

      1. lordtuskington

        Turns out this flaw *IS* real and affects CM11

        For details see: http://bit.ly/1tAL8tp

  2. Sam Liddicott
    Thumb Up

    Not the problem but the advantage

    This is not the problem with code re-use, but the advantage of code re-use.

    Rather than implement your own secret bugs and possibly never get to know, it's now easy to find if you copied that bug and have it fixed.

  3. Anonymous Coward
    Anonymous Coward

    Another week...

    ...another epic fail by the amateurs in F/OSS-land. When will people learn?

    1. thesykes

      Re: Another week...

      Absolutely. You never find massive gaping security vulnerabilities in software produced by big multi-national commercial companies, do you?

    2. Anonymous Coward
      Devil

      Re: Another week...

      Because you are a pro, right? LOL

    3. bazza Silver badge

      Re: Another week...

      "...another epic fail by the amateurs in F/OSS-land. When will people learn?"

      Copying dodgy code isn't restricted just to F/OSS-land. There's lazy programmers all over who are on a time and money budget.

      Cyanogenmod (and any other similarly maintained community backed equivalent) is probably the best model for Android. There is at least a good prospect of a bug like this being fixed and made widely deployable. Unlike most of the manufacturers' own spins of Android.

  4. Jyve

    So it'll be fixed soon?

    M...12? just released? So there'll be a quick fix/release this week soon most likely.

    Wonder how common CM actually IS in common use. Is the 10million amount of downloads/upgrades or actual current running versions? Guess my Nexus One running CM7 is out of luck.

    1. Anonymous Coward
      Anonymous Coward

      Re: So it'll be fixed soon?

      CM11.0 M11 just released.

      I have running on Samsung Galaxy S2 & S3.

      As I don't use my phones often for web browsing, not that bothered.

      I also have a Motorola Xoom on CM11.0 M10, which I do use for web surfing though, but it's still a minority web surfing tool - Linux PC #1.

      1. b166er

        Re: So it'll be fixed soon?

        I wish the stable release auto-updater had a checkbox to allow milestones too.

        (can't be bothered to flash ROMs manually on all my devices)

      2. This post has been deleted by its author

  5. Adam 1

    >He said the fix was fairly simple and said the exposure served as an academic exercise in the perils of code reuse

    I would venture to suggest that code reuse is not the problem. No, I will go further than that. If you roll your own security code there is a better than average chance that what you come up with is much worse.

    The problem here is that the developer used the code without understanding how it worked and failed to write test cases that included validation against an invalid certificate.

    1. petur
      FAIL

      Indeed, taking sample code from a manufacturer and think this is proper bugfree code is a beginners mistake... I've spent considerable time in the past fixing bugs in drivers and reference designs...

    2. .thalamus

      Unfortunately, CyanogenMod doesn't write test cases for anything they change, which is why they introduce so many bugs.

      The general process:

      'Lets add this, this looks good, although I don't understand what it actually does ha ha.'

      'Yeah, it looks great that, it looks funky.'

      *Copy, Paste, git commit (no attribution to the author)*

      'Oh yeah, it seems to work alright, lets merge it.'

      That's about the gist of it from what I've seen and experienced...

  6. Mario Becroft
    FAIL

    Inadequate CA CSR review partly to blame

    As described in this article, it sounds as if part of the problem is CA's not vetting the certificates they provide for obvious exploit attempts via other certificate information fields. Surely a human glancing over the CSR should immediately see something fishy going on, and a reputable CA should refuse to sign such a certificate.

    1. NullReference Exception

      Re: Inadequate CA CSR review partly to blame

      The cheap/free certificate providers I've used (StartSSL, GoDaddy, Comodo) do NOT let you specify arbitrary values for certificate fields - they ignore pretty much everything in the CSR except for the key and fill out the rest of the cert with hardcoded values (either blank fields or fixed strings like "Domain Control Validated".) Can't speak for more expensive cert providers as I've never had occasion to use one.

  7. paulc

    And so...

    Has Oracle fixed their sample code yet?

    1. captain veg Silver badge

      Re: And so...

      If their samples are anything like those in MSDN, that would be a herculean task.

      -A.

    2. Adam 1

      Re: And so...

      Still waiting for them to properly fix their production code.

      1. Anonymous Coward
        Coffee/keyboard

        Re: And so...

        The shipping address for my new keyboard is....

        You sir, have skill.

  8. captain veg Silver badge

    Single biggest bug source

    Copy/Paste. How many bugs would be avoided just by removing that functionality from code editors?

    -A.

    1. Adam 1

      Re: Single biggest bug source

      Then how would you refactor your methods? It isn't like IDEs have built in features where you can extract code to new method. Clearly you have to copy the method, add your new loop and if statement and give it some obscure name.

      Also, wouldn't it be great if build servers were able to reject check-ins if duplicate code was detected? Ah, pipe dreams.

  9. Quark Kent

    This may be outdated already to some extent.

    According to jira.cyanogenmod.org "KitKat does not use JSSE - Android 4.4 is not affected." So Cyanogenmod 11S for example would not be affected.

    https://jira.cyanogenmod.org/browse/BACON-1687?jql=text%20~%20%22man%20in%20the%20middle%22

  10. Anonymous Coward
    Anonymous Coward

    @ElReg Is that a copy of the Angling Times? ....

    because I think you've been told a big fish story here .

    The Bug and FIx

    http://review.cyanogenmod.org/#/c/74106/1/src/org/apache/http/conn/ssl/AbstractVerifier.java

    http://review.cyanogenmod.org/#/c/74114/

    Looks like it was dealt with 2 weeks ago.. so fuck know what he's on about.

    "The researcher responsibly disclosed the flaw to affected providers but had no luck with Cyanogenmod maintainers and so mentioned the zero-day at the Ruxcon security event in Melbourne."

    Or is that a bit artistic licence on the reporting ? Either way the code got merged which should be thanks enough .. no-one at CM is going to wank him off for saving the day with a 700+ day "zero day"

  11. Anonymous Coward
    Anonymous Coward

    The folks at Cyanogenmod seem to disagree...

    "Which brings us back to the article. We can say that after investigating the claims, albeit without the help of the author, there is no known reference to the item they are discussing within CM11."

    http://www.cyanogenmod.org/blog/in-response-to-the-register-mitm-article

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022