Dell SecureWorks iOS Application - MITM SSL Certificate Vulnerability (CVE-2016-2268)
"Access your critical Dell SecureWorks security information on the go."
"With the Dell SecureWorks Mobile App you can:
* Quickly respond to security incidents on your mobile device
* Review/update/create tickets for your critical security events
* Contact the Dell SecureWorks Secure Operations Centers 24/7/365
* Get the latest threat intelligence from our award winning Counter Threat Intelligence (CTU) team"
The Dell SecureWorks iOS application (version 2.0.6 and below) does not validate the SSL certificate it receives when connecting to a secure site.
An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the application will accept silently.
Usernames, passwords and sensitive information could be captured by an attacker without the user's knowledge.
October 4, 2015 - Notified Dell SecureWorks via email@example.com & firstname.lastname@example.org
October 6, 2015 - Dell SecureWorks responded stating that they are investigating
October 15, 2015 - Dell SecureWorks asked for steps to reproduce the vulnerability
October 15, 2015 - Provided steps to reproduce
October 22, 2015 - Dell SecureWorks confirmed the vulnerability
October 22, 2015 - Asked for a timeline to release the new version
October 26, 2015 - Dell SecureWorks responded stating they are working on an update but do not have a timeline
February 2, 2016 - Dell SecureWorks released version 2.1 which resolves this vulnerability
Upgrade to version 2.1 or later