Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   WAP Service Broker Vendors:   CMG Wireless Data Solutions
CMG's WAP Service Broker WAP Gateway Fails to Validate SSL Server Certificates
SecurityTracker Alert ID:  1001957
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 10 2001
Impact:   Disclosure of user information
Vendor Confirmed:  Yes  

Description:   A security vulnerability was reported in the CMG Wireless Data Solutions WAP Service Broker WAP gateway. The gateway fails to verify the cryptographic validity of SSL server certificates.

When a remote mobile user connects to a secure web server via the WAP gateway, the gateway reportedly does not verify the server's certificate. This makes it difficult for the remote user to determine if the secure web server is the valid server.

The vendor has reportedly been notified.

Impact:   When a remote mobile user connects to a secure web server via the WAP gateway, the user may communicate with an invalid secure server without knowledge that the server's certificate is invalid.
Solution:   The vendor reportedly plans a fix for the next release.
Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  UNIX (Solaris - SunOS), UNIX (Tru64)

Message History:   None.

 Source Message Contents

Subject:  Many WAP gateways do not properly check SSL certificates

In a browser environment, when you connect to an site using SSL/TLS your
browser automatically checks that the domain part of the URL matches the
domain in the X.509 certificate that the HTTPS server presents when you
connect to it.

Since SSL certificates are tamper-evident as the cryptographic signature
is checked against the "root" certificates of the large CAs (Thawte,
Verisign, Global Trust etc.) this check gives assurance that the
requesting party is connected to the right host - i.e. you are safe from a
man-in-the-middle attack.

It appears that most WAP gateways do not carry out this check, or if they
do, no information about mismatches is passed back to the handset. In my
limited testing 3 of the 4 gateways used by UK mobile operators are
vulnerable. Given this ratio I would expect this to be a global issue.

CMG is aware of the problem and will be issuing a patch with the next
upgrade. (Vodafone UK)

Openwave ( is shipped vulnerable by default but can be fixed by
configuration interface. (one2one, Virgin UK, BTCellnet/Genie)

Nokia on HP/UX is not vulnerable. (Orange UK, Cingular USA)

A browser-based testing tool for this issue is available at along with other wireless security information.

Thanks to Rodney Tanner <> for initially bringing this
issue to to my attention.


                              - -
                       = Zygo Communications, London UK =
             -= 82 AA 4D 7F D8 45 58 05  6D 1B 1A 72 1E DB 31 B5 =-
                    Sorry, my karma has run over your dogma


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC