SIK-2016-014
Title:
Heag Mobilo Insecure Database Replication
Report ID:
SIK-2016-014
Summary:
- Vendor: GeoMobile GmbH
- Product: HEAG mobilo
- Affected Version: 2.4.45
- Severity: Low
- Short summary:
The app synchronizes data with a remote CouchDB server without proper server authentication. This allows man-in-the-middle attackers to manipulate the data shown in the app.
Details
The app connects to http://couchdata.busaccess.de:5984/ using a plain HTTP connection. Since this connection is neither authenticated, nor integrity-protected, a man-in-the-middle attacker on the same network can easily inject rogue data. A simple DNS manipulation is sufficient to spoof a rogue database server and supply attacker-defined records
The app apparently uses the publicly-visible CouchDB for updating its own data via database replication. An attacker can inject new records, or modify and delete existing ones during this replication due to the missing transport security.
Workaround
Disable the replication between the local database and CouchDB.
Suggested Mitigation
Always use TLS when communicating with remote services. Using a properly validated TLS connection ensures that the authenticity of the remote server and the integrity of the downloaded data.
Timeline
- 2016-11-29: Vulnerability Discovered
- 2016-12-12: Reported
- 2017-02-16: Fixed