SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Openwave Mobile Access Gateway Vendors:   Openwave
Openwave's Mobile Access Gateway WAP Gateway Fails to Validate SSL Server Certificates in the Default Configuration
SecurityTracker Alert ID:  1001954
SecurityTracker URL:  http://securitytracker.com/id/1001954
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 10 2001
Impact:   Disclosure of user information


Description:   A security weakness was reported in the default configuration of Openwave's WAP gateway (Openwave Mobile Access Gateway) that causes the gateway to fail to verify the cryptographic validity of SSL server certificates.

When a remote mobile user connects to a secure web server via the WAP gateway, the gateway reportedly does not verify the server's certificate when the WAP gateway's default configuration is used. This makes it difficult for the remote user to determine if the secure web server is the valid server.

Impact:   When a remote mobile user connects to a secure web server via the WAP gateway, the user may communicate with an invalid secure server without knowledge that the server's certificate is invalid.
Solution:   A configuration modification can be made to enable certificate validation. The nature of the modification was not specified in the report.
Vendor URL:  www.openwave.com/products/mobile_services/mobile_access_gateway/ (Links to External Site)
Cause:   Configuration error

Message History:   None.


 Source Message Contents

Subject:  Many WAP gateways do not properly check SSL certificates



In a browser environment, when you connect to an site using SSL/TLS your
browser automatically checks that the domain part of the URL matches the
domain in the X.509 certificate that the HTTPS server presents when you
connect to it.

Since SSL certificates are tamper-evident as the cryptographic signature
is checked against the "root" certificates of the large CAs (Thawte,
Verisign, Global Trust etc.) this check gives assurance that the
requesting party is connected to the right host - i.e. you are safe from a
man-in-the-middle attack.

It appears that most WAP gateways do not carry out this check, or if they
do, no information about mismatches is passed back to the handset. In my
limited testing 3 of the 4 gateways used by UK mobile operators are
vulnerable. Given this ratio I would expect this to be a global issue.



CMG is aware of the problem and will be issuing a patch with the next
upgrade. (Vodafone UK)

Openwave (Phone.com) is shipped vulnerable by default but can be fixed by
configuration interface. (one2one, Virgin UK, BTCellnet/Genie)

Nokia on HP/UX is not vulnerable. (Orange UK, Cingular USA)



A browser-based testing tool for this issue is available at
http://wap.z-y-g-o.com/ along with other wireless security information.

Thanks to Rodney Tanner <RTanner@PRTM.com> for initially bringing this
issue to to my attention.


Regards,
	_Gus



-- 
                              - angus@z-y-g-o.com -
                       = Zygo Communications, London UK =
             -= 82 AA 4D 7F D8 45 58 05  6D 1B 1A 72 1E DB 31 B5 =-
                    Sorry, my karma has run over your dogma


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC