[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Serena Dimensions CM Desktop Client does not validate the server SSL certificate

Application: Serena Dimensions CM
Affected versions: 10.1 and later
Vulnerability: man-in-the-middle attacks
Problem type: remote

Problem description:

The client/server connection can be SSL encrypted by setting "-ssl" in the listener.dat. The problem is that the Desktop client accepts any server certificates. They may be self signed or signed by a CA. But there is no user interaction required to accept the certificate. There is also no possibility to configure trusted certificates.

The vulnerability allows a man-in-the-middle attack where the attacker can read and modify the data betweeen client and server. This requires to modify the network traffic between client and server.


There is currently no patch available for this problem.