AOH :: HP Unsorted S :: VA3570.HTM

Serena Dimensions CM Desktop Client does not validate the server SSL certificate



Serena Dimensions CM Desktop Client does not validate the server SSL certificate
Serena Dimensions CM Desktop Client does not validate the server SSL certificate



Application: Serena Dimensions CM
Affected versions: 10.1 and later
Vulnerability: man-in-the-middle attacks
Problem type: remote

Problem description:
===================
The client/server connection can be SSL encrypted by setting "-ssl" in the listener.dat. The problem is that the Desktop client accepts any server certificates. They may be self signed or signed by a CA. But there is no user interaction required to accept the certificate. There is also no possibility to configure trusted certificates.

The vulnerability allows a man-in-the-middle attack where the attacker can read and modify the data betweeen client and server. This requires to modify the network traffic between client and server.

Resolution:
==========
There is currently no patch available for this problem.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.