Affected software: Tomedo Server 1.7.3
Vulnerability type: Cleartext Transmission of Sensitive Information & Weak Cryptography for Passwords
Vulnerable version: Tomedo Server 1.7.3
Vulnerable component: Customer Tomedo Server that communicates with Vendor Tomedo Update Server
Vendor report confidence: Confirmed
Fixed version: Version later then 1.7.3
Vendor notification: 20/09/19
Solution date: 25/09/19
CVE reference: CVE-2019-17393
CVSS Score: 3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Credits: Chris Hein, ProSec GmbH
20th September 2019 Initial contact - no response
25th September second contact attempt
28th September Vendor responded and released an update
14th October fulldisclosure
The Customer’s Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors.
Basic authentication is used for the authentication what’s makes it possible to base64 decode the sniffed credentials and get hold of the username and password.
Proof of concept:
Capture the traffic between the Tomedo servers via a proxy or a MITM attack and base64 decode the credentials from the HTTP GET request.