Dell SecureWorks iOS Application - MITM SSL Certificate Vulnerability (CVE-2016-2268)

Overview

"Access your critical Dell SecureWorks security information on the go."

"With the Dell SecureWorks Mobile App you can:

* Quickly respond to security incidents on your mobile device
* Review/update/create tickets for your critical security events
* Contact the Dell SecureWorks Secure Operations Centers 24/7/365
* Get the latest threat intelligence from our award winning Counter Threat Intelligence (CTU) team"

(https://itunes.apple.com/us/app/dell-secureworks/id533072046)

Issue

The Dell SecureWorks iOS application (version 2.0.6 and below) does not validate the SSL certificate it receives when connecting to a secure site.

Impact

An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the application will accept silently. Usernames, passwords and sensitive information could be captured by an attacker without the user's knowledge.

Timeline

October 4, 2015 - Notified Dell SecureWorks via security@secureworks.com & security@dell.com
October 6, 2015 - Dell SecureWorks responded stating that they are investigating
October 15, 2015 - Dell SecureWorks asked for steps to reproduce the vulnerability
October 15, 2015 - Provided steps to reproduce
October 22, 2015 - Dell SecureWorks confirmed the vulnerability
October 22, 2015 - Asked for a timeline to release the new version
October 26, 2015 - Dell SecureWorks responded stating they are working on an update but do not have a timeline
February 2, 2016 - Dell SecureWorks released version 2.1 which resolves this vulnerability

Solution

Upgrade to version 2.1 or later

CVE-ID:

CVE-2016-2268

Questions?

Contact Information

Info-Sec.CA