Anbox Management Service vulnerability affects TLS certificate validation
CVE-2024-8287

7.5HIGH

Key Information:

Vendor
Canonical Ltd.
Status
Anbox Cloud
Vendor
CVE Published:
18 September 2024

Summary

The Anbox Management Service, encompassing versions 1.17.0 through 1.23.0, suffers from a vulnerability where it fails to adequately validate the TLS certificate from the Anbox Stream Agent. This oversight can facilitate a scenario where an attacker, having access to the internal network, could perform a machine-in-the-middle attack. Such a compromise allows malicious entities to intercept potentially sensitive data exchanged between the service and the agent, thereby posing significant risks to system security. Organizations using affected versions must review their network security measures and implement patches or mitigation strategies to safeguard against unauthorized access.

Affected Version(s)

Anbox Cloud Linux 1.17.0 < 1.23.1

References

https://discourse.ubuntu.com/t/anbox-cloud-1-23-1-has-bee...
vendor-advisory
https://bugs.launchpad.net/anbox-cloud/+bug/2077570
issue-tracking
https://www.cve.org/CVERecord?id=CVE-2024-8287
issue-tracking

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

Credit

Simon Fels
Simon Fels
.