lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHmS9PJxC=uGHGMU0XzSg+0cxyOR1GCiMauDq2fG8CzLtfHPeA@mail.gmail.com> Date: Wed, 3 Feb 2016 17:53:55 -0500 From: David Coomber <davidcoomber.infosec@...il.com> To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com, vuln@...unia.com, cert@...t.org Subject: [FD] Dell SecureWorks iOS Application - MITM SSL Certificate Vulnerability Dell SecureWorks iOS Application - MITM SSL Certificate Vulnerability -- http://www.info-sec.ca/advisories/Dell-SecureWorks.html Overview "Access your critical Dell SecureWorks security information on the go." "With the Dell SecureWorks Mobile App you can: * Quickly respond to security incidents on your mobile device * Review/update/create tickets for your critical security events * Contact the Dell SecureWorks Secure Operations Centers 24/7/365 * Get the latest threat intelligence from our award winning Counter Threat Intelligence (CTU) team" (https://itunes.apple.com/us/app/dell-secureworks/id533072046) Issue The Dell SecureWorks iOS application (version 2.0.6 and below) does not validate the SSL certificate it receives when connecting to a secure site. Impact An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the application will accept silently. Usernames, passwords and sensitive information could be captured by an attacker without the user's knowledge. Timeline October 4, 2015 - Notified Dell SecureWorks via security@...ureworks.com & security@...l.com October 6, 2015 - Dell SecureWorks responded stating that they are investigating October 15, 2015 - Dell SecureWorks asked for steps to reproduce the vulnerability October 15, 2015 - Provided steps to reproduce October 22, 2015 - Dell SecureWorks confirmed the vulnerability October 22, 2015 - Asked for a timeline to release the new version October 26, 2015 - Dell SecureWorks responded stating they are working on an update but do not have a timeline February 2, 2016 - Dell SecureWorks released version 2.1 which resolves this vulnerability Solution Upgrade to version 2.1 or later _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists