CVE-2017-5915 in NBD KSA App
Summary
by MITRE
The Emirates NBD Bank P.J.S.C Emirates NBD KSA app 3.10.0 through 3.10.4 (UAE) and 2.0.1 through 2.1.0 (KSA) for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/24/2020
The vulnerability identified as CVE-2017-5915 affects mobile banking applications developed by Emirates NBD Bank P.J.S.C for iOS devices operating in the UAE and KSA regions. This security flaw exists in specific versions of the Emirates NBD KSA application, namely 3.10.0 through 3.10.4 for UAE deployments and 2.0.1 through 2.1.0 for KSA deployments. The issue represents a critical failure in the application's secure communication protocols that directly impacts the integrity of the banking service's network security infrastructure. Mobile banking applications require robust certificate validation mechanisms to ensure that users are communicating with legitimate banking servers and not with malicious actors who might attempt to intercept sensitive financial data.
The technical flaw manifests in the application's inability to properly validate X.509 certificates during SSL/TLS connections established with backend banking servers. This certificate verification failure creates a dangerous condition where the mobile application accepts any certificate presented by a server without performing the necessary cryptographic checks that would normally validate the certificate's authenticity, issuer, and trust chain. The vulnerability stems from improper implementation of certificate pinning or complete absence of certificate validation logic within the application's secure communication layer. This type of flaw falls under CWE-295 which specifically addresses "Improper Certificate Validation" and represents a fundamental breakdown in the application's security architecture that violates basic secure coding practices.
The operational impact of this vulnerability is severe and far-reaching for both the bank and its customers. Attackers capable of performing man-in-the-middle attacks can exploit this weakness by presenting fraudulent certificates that appear legitimate to the vulnerable application. This allows them to intercept and potentially modify all communications between the mobile banking application and the bank's servers, enabling them to obtain sensitive customer information including account details, transaction histories, authentication credentials, and personal identification data. The vulnerability creates an environment where financial fraud can occur without detection, as the application fails to alert users to the compromised connection. This represents a direct violation of security controls outlined in the NIST SP 800-53 security framework and compromises the confidentiality, integrity, and availability of banking services as defined in the CIA triad.
The exploitation of this vulnerability aligns with techniques documented in the MITRE ATT&CK framework under the T1046 category for network service scanning and T1566 for credential harvesting. Attackers can leverage this weakness to establish persistent surveillance of banking transactions and user activities, potentially leading to significant financial losses and identity theft. The vulnerability's impact extends beyond immediate financial fraud to include reputational damage for the bank and potential regulatory penalties under financial services compliance frameworks such as PCI DSS and local banking regulations in the UAE and KSA markets. Organizations should implement comprehensive certificate validation mechanisms including proper certificate pinning, regular security assessments, and continuous monitoring of mobile application security posture to prevent similar vulnerabilities from occurring in banking applications. The affected applications require immediate remediation through code updates that enforce proper X.509 certificate validation procedures and establish secure communication channels that cannot be easily bypassed by malicious actors.