TUCoPS :: HP Unsorted S :: va3570.htm

Serena Dimensions CM Desktop Client does not validate the server SSL certificate
Serena Dimensions CM Desktop Client does not validate the server SSL certificate
Serena Dimensions CM Desktop Client does not validate the server SSL certificate


Application: Serena Dimensions CM
Affected versions: 10.1 and later
Vulnerability: man-in-the-middle attacks
Problem type: remote

Problem description:
===================
The client/server connection can be SSL encrypted by setting "-ssl" in the listener.dat. The problem is that the Desktop client accepts any server certificates. They may be self signed or signed by a CA. But there is no user interaction required to accept the certificate. There is also no possibility to configure trusted certificates.

The vulnerability allows a man-in-the-middle attack where the attacker can read and modify the data betweeen client and server. This requires to modify the network traffic between client and server.

Resolution:
==========
There is currently no patch available for this problem.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH