Thycotic Password Manager Secret Server iOS Application MITM

2015-05-27 / 2015-06-06
Credit: David Coombe
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

Thycotic Password Manager Secret Server iOS Application - MITM SSL Certificate Vulnerability -- http://www.info-sec.ca/advisories/Thycotic-SecretServer.html Overview "With the Password Manager Secret Server app, you can access passwords for an EXISTING on-premise Secret Server or Secret Server Online account." "This password app combines enterprise-level security with home-user simplicity, making it a convenient choice for both IT professionals AND home users." "Count on Extreme Security: Your passwords are safely stored on a secure server-not on your phone. You get top-level AES 256 bit encryption. You get a personal pin code lock for an additional layer of security. A built-in password generator creates strong, unique passwords. Your data is backed by a leading enterprise password management platform." "Safe Storage for: Enterprise-level or personal passwords. Bank account and tax numbers. ATM Pins. Social security numbers. Credit card numbers. Combination lock numbers" (https://itunes.apple.com/us/app/password-manager-secret-server/id327380697) Issue The Thycotic Password Manager Secret Server iOS application does not validate the SSL certificate it receives when connecting to a secure site. Impact An attacker could perform a man in the middle attack by presenting a bogus SSL certificate which the application will accept silently. Usernames, passwords and sensitive information could be captured by an attacker without the user's knowledge. Timeline February 1, 2015 - Notified Thycotic via security () thycotic com, e-mail bounced February 1, 2015 - Resent to secure () thycotic com & info () thycotic com, e-mail to secure () thycotic com bounced February 2, 2015 - Thycotic confirmed the vulnerability and advised that an update to resolve the issue would be released by the end of the week February 12, 2015 - Thycotic advised that the update will be released shortly February 24, 2015 - Thycotic advised that the update has been pushed out for another month or two March 21, 2015 - Thycotic advised that the update has been provided to Apple for their verification May 26, 2015 - Thycotic released the Thycotic PAM iOS application which they state is a replacement for the Thycotic Secret Server iOS application Solution Thycotic has chosen to release a new application instead of updating the existing Secret Server application. If you use the Secret Server iOS application, you'll likely want to log in to your Secret Server instance or https://secretserveronline.com with a browser, change your password(s) and decide if you want to use the new application. https://itunes.apple.com/us/app/thycotic-pam/id979011770

References:

http://www.info-sec.ca/advisories/Thycotic-SecretServer.html
https://itunes.apple.com/us/app/password-manager-secret-server/id327380697
https://itunes.apple.com/us/app/thycotic-pam/id979011770


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top