[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Certificate trust vulnerability in Websense Content Gateway



SUMMARY
Websense Content Gateway proxy explicitly trusts compromised certificate authorities

Affected versions: Content Gateway 7.8.x
Not affected: Content Gateway 7.7.x, 8.0

DESCRIPTION
Websense Content Gateway is a filtering web proxy and content inspection application based on a modified Inktomi/Apache Traffic Server. To enable inspection and filtering of encrypted traffic, the application uses an internal certificate authority and decrypts and re-encrypts traffic passing through the device. Content Gateway maintains its own list of trusted certificate authorities, since all HTTPS traffic accessed via Content Gateway will appear to be signed by the Content Gateway CA.

Websense updates the list of trusted certificate authorities with each new major version (7.7.0, 7.8.0, etc.). It appears new trusted certificates were imported from the Mozilla/NSS CA store for 7.8.0, but the "deny trust" flag was set incorrectly. Therefore, the status of compromised certificates (DigiNotar, UTN-USERFirst-Hardware, Digisign (Enrich)) was imported as "explicitly trusted" instead of "untrusted".

RISK
An attacker with access to these compromised certificates could mount a phishing or MITM attack against clients behind a Content Gateway without raising suspicions.

RESOLUTION
Websense will not release a patch for this issue. Users of affected systems can upgrade to 8.0, manually delete the compromised trusted certificate authorities, or change the status to "Deny". I have provided steps below which update the status in bulk from the OS shell (non-appliance).

FIX
You should review and test these steps first, and evaluate if any other trusted certificates should be updated or removed. These steps are not supported by Websense, and there is no warranty.

From the shell, execute the following commands. This script will change the "status" column to 1 (deny) for the certificate authorities with the listed hashes. Content Gateway must be stopped, or your changes will be overwritten.

sudo service WCG stop
sudo /usr/bin/sqlite3 /opt/WCG/config/new_scip3.db

Paste the following script:
UPDATE cert_issuer
SET status = 0
WHERE issuer_hash IN (
'20533f91_0FFFFFFF',
'46f053f0_0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF',
'84009bc3_0FFFFFFF',
'856583ec_0FFFFFFF',
'aee5f10d_07FFFFFFFFFF',
'b13cc6df_047ECBE9FCA55F7BD09EAE36E10CAE1E',
'b13cc6df_392A434F0E07DF1F8AA305DE34E0C229',
'b13cc6df_3E75CED46B693021218830AE86A82A71',
'b13cc6df_72032105C50C08573D8EA5304EFEE8B0',
'b13cc6df_9239D5348F40D1695A745470E1F23F43',
'b13cc6df_B0B7133ED096F9B56FAE91C874BD3AC0',
'b13cc6df_D7558FDAF5F1105BB213282B707729A3',
'b13cc6df_D8F35F4EB7872B2DAB0692E315382FB0',
'b13cc6df_E9028B9578E415DC1A710A2B88154447',
'b13cc6df_F5C86AF36162F13A64F54F6DC9587C06',
'c692a373_07FFFFFFFFFF',
'cc154c6e_0FFFFFFF',
'cee8e824_0FFFFFFF'
);
.quit

sudo service WCG start


TIMELINE
10/10/2014: Opened case with Websense support
10/30/2014: Websense support claims product does not include compromised certificates, and that I added them. I disagree, and verify that a clean install of the product does include them. 11/11/2014: Informed by support that Websense will review the certificates for the next release, but will not issue a patch for existing systems.
11/19/2014: Attempt to escalate issue via sales instead of support
11/20/2014: Sales says they're checking with product management about a patch
1/20/2015: Asked for update on patch
1/21/2015: Informed 8.0 product will include a fix
2/3/2015: Triton 8.0 product released; compromised certificates are no longer included at all

Thanks to Websense Product Security for correcting an error in the SQL script above.