CVE-2017-9821 – This vulnerability allows attackers to bypass S... (How to Fix)

📋 TL;DR

This vulnerability allows attackers to bypass SMS-based authentication in the BHIM Android app by using hardcoded validation strings. Attackers could potentially gain unauthorized access to payment accounts. All users of BHIM version 1.3 for Android are affected.

💻 Affected Systems

Products:

National Payments Corporation of India BHIM application

Versions: 1.3

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Android version of BHIM app version 1.3. The vulnerability exists in the default configuration.

📦 What is this software?

Bharat Interface For Money \(bhim\) by Npci

View all CVEs affecting Bharat Interface For Money \(bhim\) →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover enabling unauthorized financial transactions, identity theft, and financial loss to users.

🟠

Likely Case

Unauthorized access to payment accounts leading to fraudulent transactions and potential financial theft.

🟢

If Mitigated

Limited impact if multi-factor authentication or additional security controls are implemented beyond SMS validation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires physical access to device or ability to intercept SMS messages. The hardcoded strings are publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.3

Vendor Advisory: https://www.npci.org.in/what-we-do/bhim/product-overview

Restart Required: Yes

Instructions:

1. Update BHIM app from Google Play Store
2. Uninstall version 1.3
3. Install latest version
4. Restart device

🔧 Temporary Workarounds

Disable SMS permissions

android

Temporarily disable SMS permissions for BHIM app to prevent exploitation

adb shell pm revoke com.npci.bhim android.permission.RECEIVE_SMS
adb shell pm revoke com.npci.bhim android.permission.READ_SMS

Uninstall vulnerable version

android

Remove the vulnerable app version until update is available

adb uninstall com.npci.bhim

🧯 If You Can't Patch

Discontinue use of BHIM app version 1.3 immediately
Monitor financial accounts for unauthorized transactions
Enable additional authentication methods if available

🔍 How to Verify

Check if Vulnerable:

Check app version in Android settings > Apps > BHIM > App info. If version is 1.3, system is vulnerable.

Check Version:

adb shell dumpsys package com.npci.bhim | grep versionName

Verify Fix Applied:

Verify app version is greater than 1.3. Test SMS authentication functionality.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful login
SMS validation using hardcoded strings in app logs

Network Indicators:

Unusual SMS traffic patterns to/from payment app
Authentication requests bypassing normal validation

SIEM Query:

source="android_logs" app="BHIM" (event="authentication" AND result="success" AND method="sms")

📊 Metadata

CVE ID: CVE-2017-9821

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: August 24, 2018

Last Updated: November 21, 2024

🔗 References

https://github.com/magicj3lly/appexploits/blob/master/BHIM-App-PreliminaryReport.pdf Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/148923 Third Party Advisory
https://github.com/magicj3lly/appexploits/blob/master/BHIM-App-PreliminaryReport.pdf Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-9821, you might also want to check these: