lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 2 Mar 2016 19:36:24 -0500
From: David Coomber <davidcoomber.infosec@...il.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com, vuln@...unia.com,
  cert@...t.org
Subject: Panda SM Manager iOS Application - MITM SSL Certificate Vulnerability

Panda SM Manager iOS Application - MITM SSL Certificate Vulnerability
--
http://www.info-sec.ca/advisories/Panda-Security-SM-Manager.html

Overview

"Panda Systems Management is the new way to manage and monitor IT systems."

"Inventory, monitoring, management, remote control and reporting...
All from a single Web-based console"

(https://itunes.apple.com/us/app/panda-sm-manager/id672205099)

Issue

The Panda SM Manager iOS application (version 2.0.10 and below) does
not validate the SSL certificate it receives when connecting to a
secure site.

Impact

An attacker who can perform a man in the middle attack may present a
bogus SSL certificate which the application will accept silently.
Usernames, passwords and sensitive information could be captured by an
attacker without the user's knowledge.

Timeline

July 19, 2015 - Notified Panda Security via
security@...dasecurity.com, e-mail bounced
July 20, 2015 - Resent vulnerability report to
corporatesupport@...pandasecurity.com & security@...pandasecurity.com
July 20, 2015 - Panda Security responded stating they will investigate
July 31, 2015 - Asked for an update on their investigation
August 3, 2015 - Panda Security responded stating that the issue has
been escalated and is still being reviewed
August 14, 2015 - Asked for an update on their investigation
October 16, 2015 - Asked for an update on their investigation
March 1, 2016 - Panda Security released version 2.6.0 which resolves
this vulnerability

Solution

Upgrade to version 2.6.0 or later

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ