Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-14980: Sophos Secure Email Android Application - MITM SSL Certificate Vulnerability (CVE-2020-14980)

The Sophos Secure Email application through 3.9.4 for Android has Missing SSL Certificate Validation.

CVE
#vulnerability#android#google#ssl

Overview“Sophos Secure Email is a containerized and secure email app that lets you fully separate enterprise and private data on your device. It handles the corporate emails, contacts and calendar from the company’s Exchange server. Corporate data is protected with AES-256 encryption and the export of data is controlled by the company’s Data Loss Prevention (DLP) rules.”

(https://play.google.com/store/apps/details?id=com.sophos.sse)

IssueThe Sophos Secure Email Android application (version 3.9.4 and below, later versions have not been tested), does not validate the SSL certificate it receives when connecting to the application server.ImpactAn attacker who can perform a man in the middle attack may present a bogus SSL certificate which the application will accept silently. Sensitive information could be captured by an attacker without the user’s knowledge.TimelineOctober 31, 2016 - Notified Sophos via [email protected]
October 31, 2016 - Sophos confirmed receipt of the report
November 7, 2016 - Asked for a status update
November 8, 2016 - Sophos confirmed the issue
November 8, 2016 - Provided additional information about the issue
November 9, 2016 - Sophos provided information on the timing of the fix
November 10, 2016 - Sophos advised that they are not planning on addressing the issue
June 22, 2020 - Published an advisory to document the issue
CVE-ID:CVE-2020-14980Questions?Contact Information

Info-Sec.CA

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907