Vulnerability-Lookup

CNVD-2022-10740

Vulnerability from cnvd - Published: 2022-02-16

Title

Wire存在未明漏洞（CNVD-2022-10740）

Description

Wire是个人开发者的一款聊天软件。该软件支持 Web、WindowsiOS、Android、OS X 平台，有群组功能，可以语音通话，发送照片以及其独创性的打招呼方式 PING。 Wire存在安全漏洞，Wire by Bund的用户可以通过简单地禁用他们的设备密码来绕过强制的静态加密功能。目前没有详细的漏洞细节提供。

Severity

低

Patch Name

Wire存在未明漏洞（CNVD-2022-10740）的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-41094

Impacted products

Name
Wire Wire >=3.68，<3.70

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-41094"
    }
  },
  "description": "Wire\u662f\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u6b3e\u804a\u5929\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u652f\u6301 Web\u3001WindowsiOS\u3001Android\u3001OS X \u5e73\u53f0\uff0c\u6709\u7fa4\u7ec4\u529f\u80fd\uff0c\u53ef\u4ee5\u8bed\u97f3\u901a\u8bdd\uff0c\u53d1\u9001\u7167\u7247\u4ee5\u53ca\u5176\u72ec\u521b\u6027\u7684\u6253\u62db\u547c\u65b9\u5f0f PING\u3002\n\nWire\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cWire by Bund\u7684\u7528\u6237\u53ef\u4ee5\u901a\u8fc7\u7b80\u5355\u5730\u7981\u7528\u4ed6\u4eec\u7684\u8bbe\u5907\u5bc6\u7801\u6765\u7ed5\u8fc7\u5f3a\u5236\u7684\u9759\u6001\u52a0\u5bc6\u529f\u80fd\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-10740",
  "openTime": "2022-02-16",
  "patchDescription": "Wire\u662f\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u6b3e\u804a\u5929\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u652f\u6301 Web\u3001WindowsiOS\u3001Android\u3001OS X \u5e73\u53f0\uff0c\u6709\u7fa4\u7ec4\u529f\u80fd\uff0c\u53ef\u4ee5\u8bed\u97f3\u901a\u8bdd\uff0c\u53d1\u9001\u7167\u7247\u4ee5\u53ca\u5176\u72ec\u521b\u6027\u7684\u6253\u62db\u547c\u65b9\u5f0f PING\u3002\r\n\r\nWire\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0cWire by Bund\u7684\u7528\u6237\u53ef\u4ee5\u901a\u8fc7\u7b80\u5355\u5730\u7981\u7528\u4ed6\u4eec\u7684\u8bbe\u5907\u5bc6\u7801\u6765\u7ed5\u8fc7\u5f3a\u5236\u7684\u9759\u6001\u52a0\u5bc6\u529f\u80fd\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Wire\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2022-10740\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Wire Wire \u003e=3.68\uff0c\u003c3.70"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-41094",
  "serverity": "\u4f4e",
  "submitTime": "2021-10-09",
  "title": "Wire\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2022-10740\uff09"
}

CVE-2021-41094 (GCVE-0-2021-41094)

Vulnerability from cvelistv5 – Published: 2021-10-04 18:20 – Updated: 2024-08-04 02:59

Title

Mandatory encryption at rest can be bypassed (UI) in Wire app

Summary

Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70

Severity ?

4.2 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-668 - Exposure of Resource to Wrong Sphere

Assigner

GitHub_M

References

URL

Tags

	https://github.com/wireapp/wire-ios/security/advi…	x_refsource_CONFIRM
	https://github.com/wireapp/wire-ios/commit/5ba3eb…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	wireapp	wire-ios	Affected: >= 3.68, < 3.70

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:59:31.399Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wire-ios",
          "vendor": "wireapp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.68, \u003c 3.70"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-668",
              "description": "CWE-668: Exposure of Resource to Wrong Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-04T18:20:13",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746"
        }
      ],
      "source": {
        "advisory": "GHSA-h4m7-pr8h-j7rf",
        "discovery": "UNKNOWN"
      },
      "title": "Mandatory encryption at rest can be bypassed (UI) in Wire app",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41094",
          "STATE": "PUBLIC",
          "TITLE": "Mandatory encryption at rest can be bypassed (UI) in Wire app"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "wire-ios",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 3.68, \u003c 3.70"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "wireapp"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70"
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-668: Exposure of Resource to Wrong Sphere"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf",
              "refsource": "CONFIRM",
              "url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf"
            },
            {
              "name": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746",
              "refsource": "MISC",
              "url": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-h4m7-pr8h-j7rf",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41094",
    "datePublished": "2021-10-04T18:20:13",
    "dateReserved": "2021-09-15T00:00:00",
    "dateUpdated": "2024-08-04T02:59:31.399Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-10740

CVE-2021-41094 (GCVE-0-2021-41094)

Tags

Sightings

Nomenclature