Dell SecureWorks iOS Application - MITM SSL Certificate Vulnerability

[David Coomber <davidcoomber.infosec () gmail com>]

Dell SecureWorks iOS Application - MITM SSL Certificate Vulnerability
--
http://www.info-sec.ca/advisories/Dell-SecureWorks.html

Overview

"Access your critical Dell SecureWorks security information on the go."

"With the Dell SecureWorks Mobile App you can:

* Quickly respond to security incidents on your mobile device
* Review/update/create tickets for your critical security events
* Contact the Dell SecureWorks Secure Operations Centers 24/7/365
* Get the latest threat intelligence from our award winning Counter
Threat Intelligence (CTU) team"

(https://itunes.apple.com/us/app/dell-secureworks/id533072046)

Issue

The Dell SecureWorks iOS application (version 2.0.6 and below) does
not validate the SSL certificate it receives when connecting to a
secure site.

Impact

An attacker who can perform a man in the middle attack may present a
bogus SSL certificate which the application will accept silently.
Usernames, passwords and sensitive information could be captured by an
attacker without the user's knowledge.

Timeline

October 4, 2015 - Notified Dell SecureWorks via
security () secureworks com & security () dell com
October 6, 2015 - Dell SecureWorks responded stating that they are investigating
October 15, 2015 - Dell SecureWorks asked for steps to reproduce the
vulnerability
October 15, 2015 - Provided steps to reproduce
October 22, 2015 - Dell SecureWorks confirmed the vulnerability
October 22, 2015 - Asked for a timeline to release the new version
October 26, 2015 - Dell SecureWorks responded stating they are working
on an update but do not have a timeline
February 2, 2016 - Dell SecureWorks released version 2.1 which
resolves this vulnerability

Solution

Upgrade to version 2.1 or later