5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
70.8%
AMTELCO miSecureMessages Server Release 6.2 performs weak authentication for access to user messages (CWE-287).
AMTELCO miSecureMessages Server Release 6.2 performs weak authentication for access to user messages. miSecureMessages authenticates client app XML requests for messaging data using the contact identifier value and a valid license key. The contact identifier is trivial to guess and a license key will be present on a licensed client app.
AMTELCO has provided a vendor statement about this vulnerability.
A remote attacker may be able to read users’ messages by iterating through contact identifier values.
AMTELCO has addressed this vulnerability in miSecureMessages Server Release 6.3 which is available to all customers (login required).
251628
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: April 11, 2014 Updated: April 18, 2014
Statement Date: April 18, 2014
Affected
The vulnerability was discovered during testing. The vulnerability is highly unlikely and no data breaches in the field have been identified by AMTELCO nor have any been reported by customers, users, or other sources. AMTELCO has notified all miSecureMessages customers to offer the recommended mitigation step of upgrading to the currently available miSecureMessages Server release 6.3.
Detailed information about this vulnerability and the recommended mitigation is available to AMTELCO miSecureMessages customers by accessing the AMTELCO technical support web page <https://service.amtelco.com> or by contacting Amtelco at 1800-356-9148.
We are not aware of further vendor information regarding this vulnerability.
We attempted to notify AMTELCO via email (<[email protected]>, found on the “Contact Us” page), sending messages on March 12 and March 18, 2014. Not receiving a response, we published Vulnerability Note VU#251628 on April 11, 2014. We made two mistakes: First, not waiting the usual 45 days before publishing, and second, not making further attempts to contact AMTELCO (for example, calling them).
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23251628 Feedback>).
Group | Score | Vector |
---|---|---|
Base | 7.1 | AV:N/AC:M/Au:N/C:C/I:N/A:N |
Temporal | 5.6 | E:POC/RL:OF/RC:C |
Environmental | 1.4 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
Thanks to Jared Bird for reporting this vulnerability.
This document was written by Jared Allar.
CVE IDs: | CVE-2014-0357 |
---|---|
Date Public: | 2014-04-11 Date First Published: |