Due to a lack of certificate validation with a configured remote Microsoft Exchange server, Nine leaks associated Microsoft Exchange user credentials, mail envelopes and their attachments, mailbox synchronization information, calendar entries and tasks. This issue presents itself regardless of SSL/TLS trust settings within the Nine server settings panel.
October 13, 2016 update: Version 3.1.0 was released by the vendor to address these issues.
The Nine mobile application for Android is a Microsoft Exchange client that allows users to synchronize their corporate email, tasks, and calendar entries to Android-based devices (phones, tablets, etc.). At the time of writing, Nine is listed in the Google Play store with 500,000 - 1,000,000 installs.
An attacker in a privileged position within the same network as the mobile device running Nine can man-in-the-middle (MitM) traffic to the remote Exchange server (such as outlook.office365.com in the case of outlook365 corporate email). Attacks can be trivialized in open wireless environments, or by WiFi stalking unsuspecting Nine users with a rogue wireless access point (WAP herein) to trick the mobile device into connecting to an attacker-controlled network.
In one scenario, an attacker may setup a WAP in a backpack broadcasting a well-known SSID, such as "Starbucks," bridged to a 3G/4G mobile data connection. The attacker could funnel HTTPS traffic to mitmproxy which serves self-signed certificates from an otherwise invalid certificate authority (CA). From that point on, the attacker would merely wait for a Nine user to come within range of the rogue WAP. Communication between Nine and the remote Exchange ActiveSync service may happen when the victim opens his or her phone, when an email is received (and push is enabled), or when the phone polls the remote service. All communication packets contain the victim's credentials in a HTTP basic authentication header.
In a variant of the above scenario, an attacker may visit the same open WiFi (for example, on an airliner or in a coffee shop, etc.) environment an unsuspecting user is in and poison that user's DNS queries for the Exchange server. The rest of the attack would work as explained above.
The image below depicts a decrypted capture of MitM'd traffic by mitmproxy, an open source tool. The highlighted area in red contains base64-encoded account credentials.
As mentioned earlier, users can disable push synchronization in Nine and synchronize manually, only in trusted networks (or over VPN connections to trusted networks).
IT administrators can look for MUA strings prepended with "Nine-" in their ActiveSync logs, and determine appropriate next steps for those users who are currently using the NineFolders app to access organization data. Customers of Rapid7's InsightIDR can identify Nine clients by simply searching for "where(/Nine-/i)" in the Log Search page.
This vulnerability is being disclosed in accordance with Rapid7's disclosure policy.
- Tue, Aug 09, 2016: Attempted contact to the vendor.
- Thu, Aug 25, 2016: Disclosed details to CERT.
- Fri, Aug 25, 2016: CVE-2016-6533 assigned by CERT.
- Tue, Oct 11, 2016: Public disclosure.
- Wed, Oct 12, 2016: Vendor response with notification of fixed version (release timing TBD).
- Thu, Oct 13, 2016: Vendor released version 3.1.0 to address these issues.