Sign-up

ID

VAR-201602-0073


CVE

CVE-2016-2268


TITLE

Apple iOS for Dell SecureWorks Vulnerability impersonating server in mobile application

Trust: 0.8

sources: JVNDB: JVNDB-2016-001638

DESCRIPTION

Dell SecureWorks app before 2.1 for iOS does not validate SSL certificates, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. Dell SecureWorks is prone to a security-bypass vulnerability because the application fails to properly validate SSL certificates. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks and bypass certain security restrictions. Dell SecureWorks 2.0.6 and prior versions are vulnerable. The Dell SecureWorks app for iOS is a set of mobile applications based on the iOS system of Dell in the United States for accessing the security information of Dell SecureWorks. The program supports rapid response to security incidents and comments, updates, etc. on critical security incidents. Impact An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the application will accept silently. Usernames, passwords and sensitive information could be captured by an attacker without the user's knowledge. Timeline October 4, 2015 - Notified Dell SecureWorks via security@secureworks.com & security@dell.com October 6, 2015 - Dell SecureWorks responded stating that they are investigating October 15, 2015 - Dell SecureWorks asked for steps to reproduce the vulnerability October 15, 2015 - Provided steps to reproduce October 22, 2015 - Dell SecureWorks confirmed the vulnerability October 22, 2015 - Asked for a timeline to release the new version October 26, 2015 - Dell SecureWorks responded stating they are working on an update but do not have a timeline February 2, 2016 - Dell SecureWorks released version 2.1 which resolves this vulnerability Solution Upgrade to version 2.1 or later

Trust: 2.07

sources: NVD: CVE-2016-2268 // JVNDB: JVNDB-2016-001638 // BID: 82655 // VULHUB: VHN-91087 // PACKETSTORM: 135617

AFFECTED PRODUCTS

vendor:dellmodel:secureworksscope:eqversion:2.0.6

Trust: 1.6

vendor:dell secureworksmodel:mobile applicationscope:ltversion:2.1

Trust: 0.8

sources: JVNDB: JVNDB-2016-001638 // CNNVD: CNNVD-201602-168 // NVD: CVE-2016-2268

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-2268
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-2268
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201602-168
value: MEDIUM

Trust: 0.6

VULHUB: VHN-91087
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-2268
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-91087
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-2268
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 4.0
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-91087 // JVNDB: JVNDB-2016-001638 // CNNVD: CNNVD-201602-168 // NVD: CVE-2016-2268

PROBLEMTYPE DATA

problemtype:CWE-310

Trust: 1.9

sources: VULHUB: VHN-91087 // JVNDB: JVNDB-2016-001638 // NVD: CVE-2016-2268

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201602-168

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201602-168

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-001638

PATCH
title:Dell SecureWorksurl:https://itunes.apple.com/us/app/dell-secureworks/id533072046
Trust: 0.8
title:Top Pageurl:http://www.secureworks.jp/
Trust: 0.8
title:Dell SecureWorks app for iOS Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60114
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-001638 // 
            
            
            
            CNNVD: CNNVD-201602-168

EXTERNAL IDS
db:NVDid:CVE-2016-2268
Trust: 2.8
db:PACKETSTORMid:135617
Trust: 1.2
db:JVNDBid:JVNDB-2016-001638
Trust: 0.8
db:CNNVDid:CNNVD-201602-168
Trust: 0.7
db:BIDid:82655
Trust: 0.4
db:VULHUBid:VHN-91087
Trust: 0.1
sources:
            
            
            VULHUB: VHN-91087 // 
            
            
            
            BID: 82655 // 
            
            
            
            JVNDB: JVNDB-2016-001638 // 
            
            
            
            PACKETSTORM: 135617 // 
            
            
            
            CNNVD: CNNVD-201602-168 // 
            
            
            
            NVD: CVE-2016-2268

REFERENCES
url:http://www.info-sec.ca/advisories/dell-secureworks.html
Trust: 2.9
url:https://itunes.apple.com/us/app/dell-secureworks/id533072046
Trust: 1.7
url:http://seclists.org/fulldisclosure/2016/feb/27
Trust: 1.7
url:http://www.securityfocus.com/archive/1/537445/100/0/threaded
Trust: 1.1
url:http://packetstormsecurity.com/files/135617/dell-secureworks-ios-certificate-validation-failure.html
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2268
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2268
Trust: 0.8
url:http://www.securityfocus.com/archive/1/archive/1/537445/100/0/threaded
Trust: 0.6
url:http://dell.com
Trust: 0.3
url:http://seclists.org/bugtraq/2016/feb/24
Trust: 0.3
url:https://itunes.apple.com/us/app/dell-secureworks/id533072046)
Trust: 0.1
sources:
            
            
            VULHUB: VHN-91087 // 
            
            
            
            BID: 82655 // 
            
            
            
            JVNDB: JVNDB-2016-001638 // 
            
            
            
            PACKETSTORM: 135617 // 
            
            
            
            CNNVD: CNNVD-201602-168 // 
            
            
            
            NVD: CVE-2016-2268

CREDITS
David Coomber
Trust: 0.4
sources:
            
            
            BID: 82655 // 
            
            
            
            PACKETSTORM: 135617

SOURCES
db:VULHUBid:VHN-91087
db:BIDid:82655
db:JVNDBid:JVNDB-2016-001638
db:PACKETSTORMid:135617
db:CNNVDid:CNNVD-201602-168
db:NVDid:CVE-2016-2268

LAST UPDATE DATE
2025-04-13T23:26:39.614000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-91087date:2018-10-09T00:00:00
db:BIDid:82655date:2016-07-06T12:17:00
db:JVNDBid:JVNDB-2016-001638date:2016-06-01T00:00:00
db:CNNVDid:CNNVD-201602-168date:2016-02-15T00:00:00
db:NVDid:CVE-2016-2268date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-91087date:2016-02-08T00:00:00
db:BIDid:82655date:2016-02-03T00:00:00
db:JVNDBid:JVNDB-2016-001638date:2016-03-09T00:00:00
db:PACKETSTORMid:135617date:2016-02-05T17:22:22
db:CNNVDid:CNNVD-201602-168date:2016-02-15T00:00:00
db:NVDid:CVE-2016-2268date:2016-02-08T19:59:09.783