Sophos Secure Email Android Application 3.9.4 Man-In-The-Middle ≈ Packet Storm
--
https://www.info-sec.ca/advisories/Sophos-Secure-Email.html
Overview
"Sophos Secure Email is a containerized and secure email app that lets you fully separate enterprise and private data on your device. It handles the corporate emails, contacts and calendar from the company’s Exchange server. Corporate data is protected with AES-256 encryption and the export of data is controlled by the company’s Data Loss Prevention (DLP) rules."
(https://play.google.com/store/apps/details?id=com.sophos.sse)
Issue
The Sophos Secure Email Android application (version 3.9.4 and below, later versions have not been tested), does not validate the SSL certificate it receives when connecting to the application server.
Impact
An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the application will accept silently. Sensitive information could be captured by an attacker without the user's knowledge.
Timeline
October 31, 2016 - Notified Sophos via security-alert@sophos.com
October 31, 2016 - Sophos confirmed receipt of the report
November 7, 2016 - Asked for a status update
November 8, 2016 - Sophos confirmed the issue
November 8, 2016 - Provided additional information about the issue
November 9, 2016 - Sophos provided information on the timing of the fix
November 10, 2016 - Sophos advised that they are not planning on addressing the issue
June 22, 2020 - Published an advisory to document the issue
CVE-ID:
CVE-2020-14980
Gloss