Webroot SecureAnywhere Business 1.10.316 SSL Validation

2015.09.08
Credit: David Coomber
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Webroot SecureAnywhere Mobile Protection - MITM SSL Certificate Vulnerability -- http://www.info-sec.ca/advisories/Webroot-SecureAnywhere.html Overview "Webroot SecureAnywhere Business ? Mobile Protection provides essential security for iPhones and iPads and includes lost device protection that allows administrators to remotely locate the device, make the device scream and lock or wipe the device if it?s misplaced or stolen. The Webroot mobile device security console provides central management and inventory controls to IT professionals securing their mobile workforce." (https://itunes.apple.com/us/app/mobile-protection/id565693635) Issue The Webroot SecureAnywhere Business ? Mobile Protection iOS application (version 1.10.316 and below) does not validate the SSL certificate it receives when connecting to a secure site. Impact An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the application will accept silently. Usernames, passwords and sensitive information could be captured by an attacker without the user's knowledge. Timeline August 2, 2015 - Notified Webroot via security@webroot.com & secure@webroot.com August 3, 2015 - Webroot responded saying that the 'limitation' would be addressed in an upcoming version August 3, 2015 - Asked Webroot for a timeline to provide an updated version August 31, 2015 - Webroot released version 1.11 which resolves this vulnerability Solution Upgrade to version 1.11 or later

References:

http://www.info-sec.ca/advisories/Webroot-SecureAnywhere.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top