AMTELCO miSecureMessages Server insecurely authenticates clients

Overview

AMTELCO miSecureMessages Server Release 6.2 performs weak authentication for access to user messages (CWE-287).

Description

AMTELCO miSecureMessages Server Release 6.2 performs weak authentication for access to user messages. miSecureMessages authenticates client app XML requests for messaging data using the contact identifier value and a valid license key. The contact identifier is trivial to guess and a license key will be present on a licensed client app.

AMTELCO has provided a vendor statement about this vulnerability.

---

Impact

A remote attacker may be able to read users’ messages by iterating through contact identifier values.

---

Solution

AMTELCO has addressed this vulnerability in miSecureMessages Server Release 6.3 which is available to all customers (login required).

---

Vendor Information

251628

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

AMTELCO __ Affected

Notified: April 11, 2014 Updated: April 18, 2014

Statement Date: April 18, 2014

Status

Affected

Vendor Statement

The vulnerability was discovered during testing. The vulnerability is highly unlikely and no data breaches in the field have been identified by AMTELCO nor have any been reported by customers, users, or other sources. AMTELCO has notified all miSecureMessages customers to offer the recommended mitigation step of upgrading to the currently available miSecureMessages Server release 6.3.

Detailed information about this vulnerability and the recommended mitigation is available to AMTELCO miSecureMessages customers by accessing the AMTELCO technical support web page <https://service.amtelco.com> or by contacting Amtelco at 1800-356-9148.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://service.amtelco.com>

Addendum

We attempted to notify AMTELCO via email (<[email protected]>, found on the “Contact Us” page), sending messages on March 12 and March 18, 2014. Not receiving a response, we published Vulnerability Note VU#251628 on April 11, 2014. We made two mistakes: First, not waiting the usual 45 days before publishing, and second, not making further attempts to contact AMTELCO (for example, calling them).

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23251628 Feedback>).

CVSS Metrics

Group	Score	Vector
Base	7.1	AV:N/AC:M/Au:N/C:C/I:N/A:N
Temporal	5.6	E:POC/RL:OF/RC:C
Environmental	1.4	CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

• <https://itunes.apple.com/us/app/misecuremessages/id423957478?mt=8&gt;
• <https://play.google.com/store/apps/details?id=com.amtelco.secure&gt;
• <https://misecuremessages.com/&gt;
• <https://cwe.mitre.org/data/definitions/287.html&gt;
• <https://service.amtelco.com>

Acknowledgements

Thanks to Jared Bird for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs:	CVE-2014-0357
Date Public:	2014-04-11 Date First Published: