Sophos Secure Email Android Application - MITM SSL Certificate Vulnerability (CVE-2020-14980)

Overview

"Sophos Secure Email is a containerized and secure email app that lets you fully separate enterprise and private data on your device. It handles the corporate emails, contacts and calendar from the company’s Exchange server. Corporate data is protected with AES-256 encryption and the export of data is controlled by the company’s Data Loss Prevention (DLP) rules."

(https://play.google.com/store/apps/details?id=com.sophos.sse)

Issue

The Sophos Secure Email Android application (version 3.9.4 and below, later versions have not been tested), does not validate the SSL certificate it receives when connecting to the application server.

Impact

An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the application will accept silently. Sensitive information could be captured by an attacker without the user's knowledge.

Timeline

October 31, 2016 - Notified Sophos via security-alert@sophos.com
October 31, 2016 - Sophos confirmed receipt of the report
November 7, 2016 - Asked for a status update
November 8, 2016 - Sophos confirmed the issue
November 8, 2016 - Provided additional information about the issue
November 9, 2016 - Sophos provided information on the timing of the fix
November 10, 2016 - Sophos advised that they are not planning on addressing the issue
June 22, 2020 - Published an advisory to document the issue

CVE-ID:

CVE-2020-14980

Questions?

Contact Information

Info-Sec.CA