Panda SM Manager iOS Application - MITM SSL Certificate Vulnerability -- http://www.info-sec.ca/advisories/Panda-Security-SM-Manager.html Overview "Panda Systems Management is the new way to manage and monitor IT systems." "Inventory, monitoring, management, remote control and reporting... All from a single Web-based console" (https://itunes.apple.com/us/app/panda-sm-manager/id672205099) Issue The Panda SM Manager iOS application (version 2.0.10 and below) does not validate the SSL certificate it receives when connecting to a secure site. Impact An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the application will accept silently. Usernames, passwords and sensitive information could be captured by an attacker without the user's knowledge. Timeline July 19, 2015 - Notified Panda Security via security@xxxxxxxxxxxxxxxxx, e-mail bounced July 20, 2015 - Resent vulnerability report to corporatesupport@xxxxxxxxxxxxxxxxxxxx & security@xxxxxxxxxxxxxxxxxxxx July 20, 2015 - Panda Security responded stating they will investigate July 31, 2015 - Asked for an update on their investigation August 3, 2015 - Panda Security responded stating that the issue has been escalated and is still being reviewed August 14, 2015 - Asked for an update on their investigation October 16, 2015 - Asked for an update on their investigation March 1, 2016 - Panda Security released version 2.6.0 which resolves this vulnerability Solution Upgrade to version 2.6.0 or later
