[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Serena Dimensions CM Desktop Client does not validate the server SSL certificate

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Serena Dimensions CM Desktop Client does not validate the server SSL certificate
From: roland.gruber.extern@xxxxxxxxxxxxxxxxx
Date: Fri, 22 May 2009 01:57:09 -0600

Application: Serena Dimensions CM
Affected versions: 10.1 and later
Vulnerability: man-in-the-middle attacks
Problem type: remote

Problem description:
====================

The client/server connection can be SSL encrypted by setting "-ssl" in the 
listener.dat. The problem is that the Desktop client accepts any server 
certificates. They may be self signed or signed by a CA. But there is no user 
interaction required to accept the certificate. There is also no possibility to 
configure trusted certificates.

The vulnerability allows a man-in-the-middle attack where the attacker can read 
and modify the data betweeen client and server. This requires to modify the 
network traffic between client and server.

Resolution:
===========

There is currently no patch available for this problem.

Prev by Date: [SECURITY] [DSA 1802-2] New squirrelmail packages correct incomplete fix
Next by Date: LxBlog
Previous by thread: [SECURITY] [DSA 1802-2] New squirrelmail packages correct incomplete fix
Next by thread: LxBlog
Index(es):
- Date
- Thread