Open ISES Tickets TLS Certificate Verification Vulnerability in Mobile Login Flow

A vulnerability exists in Open ISES Tickets versions prior to 3.44.2, where the application disables TLS certificate verification during the mobile login process. This is achieved by setting CURLOPT_SSL_VERIFYPEER to false and omitting CURLOPT_SSL_VERIFYHOST when making outbound HTTPS requests. As a result, an attacker on the network path can intercept, monitor, or modify the requests and responses, potentially exposing API keys or session data.

Impact

This vulnerability allows for man-in-the-middle attacks, where an attacker can intercept and alter communications between the server and a remote endpoint.

Reproduction

To reproduce this vulnerability, log into an affected version of Open ISES Tickets using the mobile RouteMate application. During the login process, the application will make an HTTPS request to the server without verifying the TLS certificate. This can be observed by intercepting the network traffic and noting that the request is sent without proper certificate validation.

Remediation

Users are advised to upgrade to Open ISES Tickets version 3.44.2 or later, where this vulnerability has been patched.