Share
Affected software: Tomedo Server 1.7.3  
Vulnerability type: Cleartext Transmission of Sensitive Information & Weak Cryptography for Passwords  
Vulnerable version: Tomedo Server 1.7.3  
Vulnerable component: Customer Tomedo Server that communicates with Vendor Tomedo Update Server  
Vendor report confidence: Confirmed  
Fixed version: Version later then 1.7.3  
Vendor notification: 20/09/19  
Solution date: 25/09/19  
CVE reference: CVE-2019-17393  
CVSS Score: 3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N   
Credits: Chris Hein, ProSec GmbH  
Communication Timeline:   
20th September 2019 Initial contact - no response  
25th September second contact attempt  
28th September Vendor responded and released an update  
14th October fulldisclosure   
  
Vulnerability Details:  
The Customer’s Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors.  
Basic authentication is used for the authentication what’s makes it possible to base64 decode the sniffed credentials and get hold of the username and password.  
  
Proof of concept:  
Capture the traffic between the Tomedo servers via a proxy or a MITM attack and base64 decode the credentials from the HTTP GET request.