AVTECH EagleEyes Lite Improper Certificate Chain Validation Vulnerability

A vulnerability exists in AVTECH EagleEyes Lite version 2.0.0 due to improper validation of SSL/TLS server certificates. The application uses a custom X509TrustManager that only checks certificate expiration dates, neglecting full certificate chain validation. This flaw could allow attackers to conduct man-in-the-middle (MITM) attacks with self-signed or rogue certificates, intercepting and manipulating sensitive surveillance data.

Impact

Exploitation of this vulnerability could lead to man-in-the-middle attacks, allowing interception and modification of communications between the application and its backend server. This could result in unauthorized access to or manipulation of sensitive surveillance data.

Remediation

Users are advised to update the application to a version that replaces the custom X509TrustManager with the default system implementation, which validates the entire certificate chain. Proper hostname verification should also be enforced to prevent the acceptance of mismatched or untrusted certificates. Additionally, any insecure fallback logic for older Android versions should be removed or updated to ensure consistent and secure TLS validation.