Serena Dimensions CM Desktop Client does not validate the server SSL certificate

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Serena Dimensions CM Desktop Client does not validate the server SSL certificate
From: roland.gruber.extern@xxxxxxxxxxxxxxxxx
Date: Fri, 22 May 2009 01:57:09 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Application: Serena Dimensions CM
Affected versions: 10.1 and later
Vulnerability: man-in-the-middle attacks
Problem type: remote

Problem description:
====================

The client/server connection can be SSL encrypted by setting "-ssl" in the 
listener.dat. The problem is that the Desktop client accepts any server 
certificates. They may be self signed or signed by a CA. But there is no user 
interaction required to accept the certificate. There is also no possibility to 
configure trusted certificates.

The vulnerability allows a man-in-the-middle attack where the attacker can read 
and modify the data betweeen client and server. This requires to modify the 
network traffic between client and server.

Resolution:
===========

There is currently no patch available for this problem.

Prev by Date: Novell GroupWise Internet Agent Remote Buffer Overflow Vulnerabilities
Next by Date: LxBlog
Previous by thread: Novell GroupWise Internet Agent Remote Buffer Overflow Vulnerabilities
Next by thread: LxBlog
Index(es):
- Date
- Thread