Amazon Kindle for Android < 4.5.0 SSL Certificate Validation Security Bypass

Medium Nessus Network Monitor Plugin ID 8373

Synopsis

The Android device is running a vulnerable version of Amazon Kindle.

Description

Versions prior to Amazon Kindle for Android 4.5.0 are affected by a potential man-in-the-middle vulnerability as a result of not verifying the X.509 certificates of SSL servers. An attacker may thus impersonate a server to eavesdrop or modify encrypted communication.

Solution

Update to Kindle for Android version 4.5.0, or later, from the Google Play store.

See Also

http://jvndb.jvn.jp/jvndb/JVNDB-2014-000102

https://play.google.com/store/apps/details?id=com.amazon.kindle

Plugin Details

Severity: Medium

ID: 8373

Family: Web Clients

Published: 2014/09/05

Modified: 2016/12/06

Dependencies: 5287

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSSv3

Base Score: 4.7

Temporal Score: 4.1

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS3#E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:amazon:kindle_for_android

Patch Publication Date: 2014/08/29

Vulnerability Publication Date: 2014/08/29

Reference Information

CVE: CVE-2014-3908

BID: 69492