Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-13476 is a vulnerability in the Rakuten Viber messaging app's Cloak mode on Android (v25.7.2.0g) and Windows (v25.6.0.0 through v25.8.1.0). Cloak mode is designed to hide the use of a proxy or VPN to improve user anonymity. However, the TLS handshake in this mode uses a static and predictable ClientHello fingerprint that lacks extension diversity."}, {'type': 'paragraph', 'content': "Because of this predictable fingerprint, Deep Packet Inspection (DPI) systems can easily identify and block Viber's proxy traffic. This defeats the purpose of Cloak mode by exposing proxy usage, which can lead to censorship circumvention being undermined."}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows network operators or censors to detect and block Viber traffic that uses the Cloak proxy mode. As a result, users attempting to bypass censorship or maintain anonymity through proxy use may experience denial of service or inability to connect.

Additionally, users receive no indication that their proxy use is exposed, which may lead to a false sense of security regarding their privacy and anonymity.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying the static and predictable TLS ClientHello fingerprint used by Rakuten Viber Cloak mode in affected versions. Deep Packet Inspection (DPI) systems can trivially detect this fingerprint due to its lack of extension diversity.'}, {'type': 'paragraph', 'content': 'To detect this on your network, you would monitor TLS handshakes and look for the specific ClientHello fingerprint that matches the vulnerable Viber Cloak mode traffic.'}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, typical detection methods could include using packet capture tools like Wireshark or tcpdump to capture TLS handshakes and then analyzing the ClientHello messages for the static fingerprint pattern.'}, {'type': 'list_item', 'content': "Use tcpdump to capture TLS traffic: tcpdump -i <interface> 'tcp port 443' -w capture.pcap"}, {'type': 'list_item', 'content': "Open the capture in Wireshark and filter for 'tls.handshake.type == 1' to view ClientHello messages."}, {'type': 'list_item', 'content': 'Analyze the ClientHello extensions and fingerprint for lack of diversity or static patterns indicative of the vulnerable Viber Cloak mode.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation is to upgrade the Rakuten Viber application to fixed versions where the vulnerability is resolved.

• For Android users, upgrade to version 27.2.0.0g or later.
• For Windows users, upgrade to version 27.3.0.0 or later.
• Windows users are also advised to enable automatic updates to ensure timely application of future fixes.

Useful 0 Not Useful 0