Vulnerability (CVE-2021-27189)
--
https://www.info-sec.ca/advisories/CIRA-Canadian-Shield.html
Overview
"CIRA Canadian Shield protects you from online threats such
as
malicious domains, phishing websites and helps to keep your
personal
data private. It also provides DNS privacy by keeping your DNS
requests in Canada. This app works by changing your phone's DNS
settings to run your requests through CIRA's Canadian server
network."
(https://apps.apple.com/ca/app/cira-canadian-shield/id1499859661)
Issue
The Canadian Internet Registration Authority (CIRA) Canadian
Shield
iOS application (version 4.0.12 and below), does not validate the
SSL
certificate it receives when connecting to the application
server.
Impact
An attacker who can perform a man in the middle attack may
present a
bogus SSL certificate which the application will accept
silently.
Sensitive information could be captured by an attacker without
the
user's knowledge.
Timeline
December 22, 2020 - Attempted to obtain a security contact via a
form on cira.ca
December 23, 2020 - Asked for a security contact via an email
to
December 23, 2020 - CIRA support asked for details which they
will
forward to the right team
December 28, 2020 - Asked for a security contact via an email
to
December 30, 2020 - Asked the Canadian Centre for Cyber
Security
(CCCS) if they could connect me with security contact at CIRA
December 31, 2020 - CCCS responded that they will attempt to
connect
me with a security contact at CIRA
January 4, 2021 - A security contact at CIRA confirmed that
January 4, 2021 - Provided the details to CIRA via
January 5, 2021 - CIRA confirmed receipt of the details
February 1, 2021 - CIRA confirmed the issue and stated they are
working on an update
February 22, 2021 - CIRA released version 4.0.13
Solution
Upgrade to version 4.0.13 or later
CVE-ID
CVE-2021-27189
Read more https://packetstormsecurity.com/files/161507/cira-mitm.txt