Man-in-the-middle attack in Siveillance VMS Video for Android and Siveillance VMS Video for iOS - CVE-2018-4849
Published: May 8, 2018 / Updated: May 10, 2018
Vulnerability identifier: #VU12521
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-4849
CWE-ID: CWE-300
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Siemens
Affected software:
Siveillance VMS Video for Android
Siveillance VMS Video for iOS
Siveillance VMS Video for Android
Siveillance VMS Video for iOS
Detailed vulnerability description
The vulnerability allows a remote attacker to to conduct man-in-the-middle attack on the target system.
The vulnerability exists due to improper certificate validation. A remote attacker can conduct man-in-the-middle attack, intercept of the communication channel between the affected app and a server and generate a certificate that results for the validation algorithm in a checksum identical to a trusted certificate to read data from and write data to the encrypted communication channel between the app and a server.
How to mitigate CVE-2018-4849
Install update from vendor's website.