Dell SecureWorks iOS Application - MITM SSL Certificate Vulnerability Feb 03 2016 10:53PM
David Coomber (davidcoomber infosec gmail com)
Dell SecureWorks iOS Application - MITM SSL Certificate Vulnerability


"Access your critical Dell SecureWorks security information on the go."

"With the Dell SecureWorks Mobile App you can:

* Quickly respond to security incidents on your mobile device
* Review/update/create tickets for your critical security events
* Contact the Dell SecureWorks Secure Operations Centers 24/7/365
* Get the latest threat intelligence from our award winning Counter
Threat Intelligence (CTU) team"



The Dell SecureWorks iOS application (version 2.0.6 and below) does
not validate the SSL certificate it receives when connecting to a
secure site.


An attacker who can perform a man in the middle attack may present a
bogus SSL certificate which the application will accept silently.
Usernames, passwords and sensitive information could be captured by an
attacker without the user's knowledge.


October 4, 2015 - Notified Dell SecureWorks via
security (at) secureworks (dot) com [email concealed] & security (at) dell (dot) com [email concealed]
October 6, 2015 - Dell SecureWorks responded stating that they are investigating
October 15, 2015 - Dell SecureWorks asked for steps to reproduce the
October 15, 2015 - Provided steps to reproduce
October 22, 2015 - Dell SecureWorks confirmed the vulnerability
October 22, 2015 - Asked for a timeline to release the new version
October 26, 2015 - Dell SecureWorks responded stating they are working
on an update but do not have a timeline
February 2, 2016 - Dell SecureWorks released version 2.1 which
resolves this vulnerability


Upgrade to version 2.1 or later

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus