In Moonlight iOS/tvOS before 4.0.1, the pairing process is vulnerable to a man-in-the-middle attack. The bug has been fixed in Moonlight v4.0.1 for iOS and tvOS.
Weakness
The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Moonlight | Moonlight-stream | * | 4.0.1 (excluding) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/466.html
- https://cwe.mitre.org/data/definitions/57.html
- https://cwe.mitre.org/data/definitions/589.html
- https://cwe.mitre.org/data/definitions/590.html
- https://cwe.mitre.org/data/definitions/612.html
- https://cwe.mitre.org/data/definitions/613.html
- https://cwe.mitre.org/data/definitions/615.html
- https://cwe.mitre.org/data/definitions/662.html
- https://cwe.mitre.org/data/definitions/94.html
References
- https://github.com/moonlight-stream/moonlight-ios/commit/b0149b2fe9125a77ee11fe133382673694b6e8cc
- https://github.com/moonlight-stream/moonlight-ios/pull/405
- https://github.com/moonlight-stream/moonlight-ios/security/advisories/GHSA-g298-gp8q-h6j3
- https://github.com/moonlight-stream/moonlight-ios/commit/b0149b2fe9125a77ee11fe133382673694b6e8cc
- https://github.com/moonlight-stream/moonlight-ios/pull/405
- https://github.com/moonlight-stream/moonlight-ios/security/advisories/GHSA-g298-gp8q-h6j3