Home / vulnerabilities Dell SecureWorks iOS Certificate Validation Failure
Posted on 07 February 2016
Source : packetstormsecurity.org Link
Dell SecureWorks iOS Application - MITM SSL Certificate Vulnerability
--
http://www.info-sec.ca/advisories/Dell-SecureWorks.html
Overview
"Access your critical Dell SecureWorks security information on the go."
"With the Dell SecureWorks Mobile App you can:
* Quickly respond to security incidents on your mobile device
* Review/update/create tickets for your critical security events
* Contact the Dell SecureWorks Secure Operations Centers 24/7/365
* Get the latest threat intelligence from our award winning Counter
Threat Intelligence (CTU) team"
(https://itunes.apple.com/us/app/dell-secureworks/id533072046)
Issue
The Dell SecureWorks iOS application (version 2.0.6 and below) does
not validate the SSL certificate it receives when connecting to a
secure site.
Impact
An attacker who can perform a man in the middle attack may present a
bogus SSL certificate which the application will accept silently.
Usernames, passwords and sensitive information could be captured by an
attacker without the user's knowledge.
Timeline
October 4, 2015 - Notified Dell SecureWorks via
security@secureworks.com & security@dell.com
October 6, 2015 - Dell SecureWorks responded stating that they are investigating
October 15, 2015 - Dell SecureWorks asked for steps to reproduce the
vulnerability
October 15, 2015 - Provided steps to reproduce
October 22, 2015 - Dell SecureWorks confirmed the vulnerability
October 22, 2015 - Asked for a timeline to release the new version
October 26, 2015 - Dell SecureWorks responded stating they are working
on an update but do not have a timeline
February 2, 2016 - Dell SecureWorks released version 2.1 which
resolves this vulnerability
Solution
Upgrade to version 2.1 or later
