Overview
AMTELCO miSecureMessages Server Release 6.2 performs weak authentication for access to user messages (CWE-287).
Description
AMTELCO miSecureMessages Server Release 6.2 performs weak authentication for access to user messages. miSecureMessages authenticates client app XML requests for messaging data using the contact identifier value and a valid license key. The contact identifier is trivial to guess and a license key will be present on a licensed client app. AMTELCO has provided a vendor statement about this vulnerability. |
Impact
A remote attacker may be able to read users' messages by iterating through contact identifier values. |
Solution
AMTELCO has addressed this vulnerability in miSecureMessages Server Release 6.3 which is available to all customers (login required). |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.1 | AV:N/AC:M/Au:N/C:C/I:N/A:N |
| Temporal | 5.6 | E:POC/RL:OF/RC:C |
| Environmental | 1.4 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Jared Bird for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
| CVE IDs: | CVE-2014-0357 |
| Date Public: | 2014-04-11 |
| Date First Published: | 2014-04-11 |
| Date Last Updated: | 2014-04-18 22:22 UTC |
| Document Revision: | 41 |