search menu icon-carat-right cmu-wordmark

CERT Coordination Center

AMTELCO miSecureMessages Server insecurely authenticates clients

Vulnerability Note VU#251628

Original Release Date: 2014-04-11 | Last Revised: 2014-04-18

Overview

AMTELCO miSecureMessages Server Release 6.2 performs weak authentication for access to user messages (CWE-287).

Description

AMTELCO miSecureMessages Server Release 6.2 performs weak authentication for access to user messages. miSecureMessages authenticates client app XML requests for messaging data using the contact identifier value and a valid license key. The contact identifier is trivial to guess and a license key will be present on a licensed client app.

AMTELCO has provided a vendor statement about this vulnerability.

Impact

A remote attacker may be able to read users' messages by iterating through contact identifier values.

Solution

AMTELCO has addressed this vulnerability in miSecureMessages Server Release 6.3 which is available to all customers (login required).

Vendor Information

251628
 
Affected   Unknown   Unaffected

AMTELCO

Notified:  April 11, 2014 Updated:  April 18, 2014

Statement Date:   April 18, 2014

Status

  Affected

Vendor Statement

The vulnerability was discovered during testing. The vulnerability is highly unlikely and no data breaches in the field have been identified by AMTELCO nor have any been reported by customers, users, or other sources. AMTELCO has notified all miSecureMessages customers to offer the recommended mitigation step of upgrading to the currently available miSecureMessages Server release 6.3.

Detailed information about this vulnerability and the recommended mitigation is available to AMTELCO miSecureMessages customers by accessing the AMTELCO technical support web page https://service.amtelco.com or by contacting Amtelco at 1800-356-9148.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

We attempted to notify AMTELCO via email (<info@amtelco.com>, found on the "Contact Us" page), sending messages on March 12 and March 18, 2014. Not receiving a response, we published Vulnerability Note VU#251628 on April 11, 2014. We made two mistakes: First, not waiting the usual 45 days before publishing, and second, not making further attempts to contact AMTELCO (for example, calling them).

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 7.1 AV:N/AC:M/Au:N/C:C/I:N/A:N
Temporal 5.6 E:POC/RL:OF/RC:C
Environmental 1.4 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Jared Bird for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2014-0357
Date Public: 2014-04-11
Date First Published: 2014-04-11
Date Last Updated: 2014-04-18 22:22 UTC
Document Revision: 41

Sponsored by CISA.