CVE-2017-9968

NVD

https://nvd.nist.gov/vuln/detail/CVE-2017-9968

CWE

https://cwe.mitre.org/data/definitions/295.html

A security misconfiguration vulnerability exists in Schneider Electrics IGSS Mobile application versions 3.01 and prior in which a lack of certificate pinning during the TLS/SSL connection establishing process can result in a man-in-the-middle attack.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name	Vendor	Start Version	End Version
Igss_mobile	Schneider-electric	*	3.01 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/459.html
https://cwe.mitre.org/data/definitions/475.html

References

http://www.securityfocus.com/bid/103048
https://ics-cert.us-cert.gov/advisories/ICSA-18-046-03
https://www.schneider-electric.com/en/download/document/SEVD-2018-039-02/

Improper Certificate Validation

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References