CVE-2017-5907 in Mobile Banking
Summary
by MITRE
The Great Southern Bank Great Southern Mobile Banking app before 4.0.4 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/24/2020
The vulnerability identified as CVE-2017-5907 affects the Great Southern Mobile Banking application version 4.0.3 and earlier on iOS platforms, representing a critical security flaw in the mobile banking ecosystem. This issue stems from the application's failure to properly validate X.509 digital certificates during SSL/TLS communications, creating a significant attack surface that undermines the fundamental security assurances of encrypted banking transactions. The flaw directly impacts the authentication mechanism that protects sensitive financial data exchange between mobile banking clients and server infrastructure, effectively eliminating the cryptographic protection that users expect when conducting banking activities through mobile applications.
The technical implementation of this vulnerability resides in the certificate validation process within the mobile banking application's SSL/TLS stack. When the application establishes secure connections to banking servers, it fails to perform proper certificate chain validation, certificate expiration checks, or hostname verification procedures that are standard requirements for secure communication. This weakness allows attackers to deploy malicious certificates that appear legitimate to the vulnerable application, enabling them to intercept and manipulate banking transactions without detection. The flaw operates at the transport layer security validation level, where the application should be enforcing certificate pinning mechanisms or at minimum performing standard certificate verification procedures as defined by industry security protocols.
The operational impact of this vulnerability extends far beyond simple data interception, as it creates a complete breakdown in the trust model that mobile banking applications rely upon for secure financial transactions. Attackers can leverage this weakness to perform man-in-the-middle attacks that allow them to capture login credentials, transaction details, account balances, and other sensitive banking information. The vulnerability specifically targets the integrity of the communication channel, enabling attackers to impersonate legitimate banking servers and redirect users to malicious endpoints while maintaining the appearance of legitimate banking services. This creates a sophisticated attack vector that can facilitate financial fraud, identity theft, and unauthorized access to banking accounts through the manipulation of encrypted communications.
This vulnerability aligns with CWE-295, which addresses improper certificate validation in security protocols, and represents a clear violation of the security principle of certificate validation that is fundamental to secure communication systems. From an ATT&CK framework perspective, this weakness maps to T1046 Network Service Scanning and T1566 Phishing, as attackers can exploit the vulnerability to establish malicious communication channels and potentially use the captured credentials for further attacks. The vulnerability also correlates with T1552 Credential Access and T1071 Application Layer Protocol, as it enables attackers to access banking credentials and manipulate application layer communications. Organizations should consider implementing certificate pinning mechanisms, enforcing strict certificate validation procedures, and deploying network monitoring solutions to detect and prevent exploitation attempts. Additionally, regular security assessments and penetration testing should be conducted to identify similar validation flaws in mobile banking applications and other financial services that rely on secure communication protocols. The remediation requires updating the application to implement proper X.509 certificate validation, including hostname checking, certificate expiration verification, and certificate chain validation, as well as implementing certificate pinning where appropriate to prevent the use of unauthorized certificates.