[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[MATTA-2011-001] pfSense x509 Insecure Certificate Creation



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



	Matta Consulting - Matta Advisory
	    https://www.trustmatta.com

    pfSense x509 Insecure Certificate Creation

Advisory ID: MATTA-2011-001
CVE reference: CVE-2011-4197
Affected platforms: pfSense
Version: 2.0
Date: 2011-October-09
Security risk: High
Vulnerability: x509 Insecure Certificate Creation
Researcher: Florent Daigniere
Vendor Status: Notified / Patch available
Vulnerability Disclosure Policy:
 https://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt
Permanent URL:
 https://www.trustmatta.com/advisories/MATTA-2011-001.txt

=====================================================================
Description:

Certificates issued by the builtin PKI mechanism of pfSense prior
 to version 2.0.1 set the basic constraint CA:true to all
 certificates issued.

=====================================================================
Impact

Any user in possession of a certificate issued by the builtin PKI can
 issue sub-certificates with arbitrary CNs, bypassing potential access
 controls. Specifics depend on what the certificates are being
 used for.

=====================================================================
Versions affected:

Firmware version 2.0 tested.

=====================================================================
Threat mitigation

Revoke existing certificates and re-issue them without the basic
 constraint set.

To verify the purpose of your certificates, you can use the
 following command:

$openssl x509 -in test.crt -noout -purpose|grep CA
SSL client CA : Yes
SSL server CA : Yes
Netscape SSL server CA : Yes
S/MIME signing CA : Yes
S/MIME encryption CA : Yes
CRL signing CA : Yes
Any Purpose CA : Yes
OCSP helper CA : Yes
Time Stamp signing CA : Yes

Patches are available at:
https://github.com/bsdperimeter/pfsense/commit/1379d66f11aaf72982a70287b83e24efcd18898e
https://github.com/bsdperimeter/pfsense/commit/87b4deb2b2dae9013e6aa0fe490d6a5a04a27894

=====================================================================
Credits

This vulnerability was discovered and researched by Florent Daigniere
 from Matta Consulting.

=====================================================================
History

09-10-11 initial discovery
09-10-11 initial attempt to contact the vendor
27-10-11 patch is available
21-12-11 pfSense 2.0.1 is released
22-12-11 this advisory is published

=====================================================================
About Matta

Matta is a privately held company with Headquarters in London, and a
 European office in Amsterdam.   Established in 2001, Matta operates
 in Europe, Asia, the Middle East and North America using a respected
 team of senior consultants.  Matta is an accredited provider of
 Tiger Scheme training; conducts regular research and is the developer
 behind the webcheck application scanner, and colossus network scanner.

https://www.trustmatta.com
https://www.trustmatta.com/training.html
https://www.trustmatta.com/webapp_va.html
https://www.trustmatta.com/network_va.html

=====================================================================
Disclaimer and Copyright

Copyright (c) 2011 Matta Consulting Limited. All rights reserved.
This advisory may be distributed as long as its distribution is
 free-of-charge and proper credit is given.

The information provided in this advisory is provided "as is" without
 warranty of any kind. Matta Consulting disclaims all warranties, either
 express or implied, including the warranties of merchantability and
 fitness for a particular purpose. In no event shall Matta Consulting or
 its suppliers be liable for any damages whatsoever including direct,
 indirect, incidental, consequential, loss of business profits or
 special damages, even if Matta Consulting or its suppliers have been
 advised of the possibility of such damages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBCAAGBQJO8wQwAAoJEKXMIWKFD6qpNpYH/23RLUU9VLKqgnuG3uVISMDr
kyjtoZ7heAVeZBBDX5XN2z0ZpapHCpPvVfR7ghp3J00W62SsUHiHTWyUHEP9FXLa
UMGNNCQXkEmfArSiOdhpSc3N4OpaavOQSi80CVK8TaeqAEtYuelz3Qo6ll9XgU8u
g6+woyi6h2LzxzqZpkn+4vo1j5YIGNSAVwBF+VVwrnuB73yCHjmngqY4ulg/dZ4J
1n4UgvTuwCeGaextDmzMl2ihs68jNcJx7vdtwUHGceXxwcoAHsfffh9LBuV5WyCJ
NAYXt9tWxCuTmOfEIJbzmxwdKcy1gMDVh2b3OlUwiLX2K7rw/kJeWpGayy111M8=
=LKfe
-----END PGP SIGNATURE-----