A vulnerability, which was classified as critical, has been found in Good Technology Enterprise 3.0.0.415 on Android (Android App Software). Affected by this issue is an unknown function of the component Signature Protection. The manipulation with an unknown input leads to a data authenticity vulnerability. Using CWE to declare the problem leads to CWE-345. The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. Impacted is confidentiality, integrity, and availability. CVE summarizes:

The Good for Enterprise application 3.0.0.415 for Android does not use signature protection for its Authentication Delegation API intent. Also, the Good Dynamic application activation process does not attempt to detect malicious activation attempts involving modified names beginning with a com.good.gdgma substring. Consequently, an attacker could obtain access to intranet data. This issue is only relevant in cases where the user has already downloaded a malicious Android application.

The bug was discovered 09/20/2017. The weakness was shared 09/20/2017 (Website). The advisory is shared for download at securityfocus.com. This vulnerability is handled as CVE-2015-9232 since 09/20/2017. The attack may be launched remotely. No form of authentication is required for exploitation. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Type

• Android App Software

Vendor

• Good Technology

Name

• Enterprise

Version

• 3.0.0.415

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion