May 2017 CERT Cyber Vulnerabilities

Each month, Nebula Consulting posts vulnerability notes from CERT's vulnerability database. Check back often for updates! 02 May 2017 - VU#491375 - Intel Active Management Technology (AMT) does not properly enforce access control

Technologies based on Intel Active Management Technology may be vulnerable to remote privilege escalation, which may allow a remote, unauthenticated attacker to execute arbitrary code on the system.

A remote, unauthenticated attacker may be able to gain access to the remote management features of the system. The execution occurs at a hardware system level regardless of operating system environment and configuration.

Solution: https://downloadcenter.intel.com/download/26754

04 May 2017 - VU#276408Intel Active Management Technology (AMT) does not properly enforce access control

Think Mutual Bank mobile banking app for iOS, version 3.1.5 and earlier, fails to properly validate SSL certificates provided by HTTPS connections, which may enable an attacker to conduct man-in-the-middle (MITM) attacks.

An attacker on the same network as the iOS device may be able to view or modify network traffic that should have been protected by HTTPS, which may lead to the exposure of sensitive account information, including login credentials.

Solution: The vendor has released version 3.2.0 to address this issue. Users are encouraged to update to the latest release.

04 May 2017 - VU#556600Space Coast Credit Union SCCU Mobile for Android and iPhone fails to properly validate SSL certificates

Space Coast Credit Union SCCU Mobile for Android, version 2.1.0.1104 and earlier, and for iOS, version 2.2 and earlier, fails to properly validate SSL certificates provided by HTTPS connections, which may enable an attacker to conduct man-in-the-middle (MITM) attacks.

An attacker on the same network as the Android or iOS device may be able to view or modify network traffic that should have been protected by HTTPS, which may lead to the exposure of sensitive account information, including login credentials.

Solution: NONE. The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workarounds.