CVE-2017-9585 in Lamar Mobile Banking App
Summary
by MITRE
The "Community State Bank - Lamar Mobile Banking" by Community State Bank - Lamar app 3.0.3 -- aka community-state-bank-lamar-mobile-banking/id1083927885 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/18/2019
The CVE-2017-9585 vulnerability affects the Community State Bank - Lamar Mobile Banking iOS application version 3.0.3, representing a critical security flaw in the app's certificate validation mechanism. This vulnerability falls under the category of improper certificate verification, which is classified as CWE-295 within the CWE database. The application fails to properly validate X.509 certificates presented by SSL servers during secure communications, creating a significant attack surface that compromises the integrity of the mobile banking platform. The flaw specifically impacts the app's ability to establish trust with legitimate servers, making it susceptible to man-in-the-middle attacks that can intercept and manipulate sensitive financial data.
The technical implementation of this vulnerability stems from the application's failure to perform proper certificate chain validation and hostname checking during SSL/TLS handshakes. Mobile banking applications must verify that certificates are issued by trusted Certificate Authorities, that the certificate chain is complete and valid, and that the certificate's hostname matches the server being connected to. When these validations are omitted or improperly implemented, attackers can present malicious certificates that appear legitimate to the application, allowing them to establish secure-looking connections while actually intercepting all communications between the user and the banking server. This vulnerability directly violates the fundamental security principle of certificate-based authentication that is essential for protecting sensitive financial transactions.
The operational impact of this vulnerability extends far beyond simple data interception, as it fundamentally undermines the security model that mobile banking applications rely upon to protect customer information. Attackers exploiting this vulnerability can gain access to sensitive customer data including account balances, transaction histories, personal identification information, and potentially login credentials that could lead to full account compromise. The threat landscape for mobile banking applications is particularly concerning because these vulnerabilities can be exploited by attackers with relatively low technical skill levels, as the attack vector involves simply presenting a forged certificate rather than requiring complex cryptographic attacks. This vulnerability also creates opportunities for credential theft, financial fraud, and identity theft that could result in significant financial losses for both customers and the institution. The attack surface is further expanded because the vulnerability affects a mobile banking application, where users often conduct sensitive transactions in public environments where network traffic interception is more likely.
Organizations should implement comprehensive mitigation strategies that address both immediate remediation needs and long-term security improvements. The most critical immediate action involves updating the mobile application to properly implement certificate validation, including proper certificate chain verification, hostname checking, and revocation status checking. Security controls should be designed to comply with industry standards such as those outlined in the OWASP Mobile Security Project, specifically addressing the M3 category of Insecure Data Storage and M5 category of Security Decision Making. Network-level protections such as certificate pinning should be implemented to prevent attackers from using fraudulent certificates even if the application's certificate validation is bypassed. Additionally, organizations should establish robust monitoring systems to detect potential exploitation attempts and implement proper incident response procedures. The vulnerability also highlights the importance of regular security testing including penetration testing and vulnerability scanning, particularly for mobile applications that handle sensitive financial data. Organizations should consider implementing additional security controls such as multi-factor authentication, transaction monitoring, and user behavior analytics to detect and prevent unauthorized access attempts that could exploit this type of vulnerability.