lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1324551069.7837.2.camel@neutron.trustmatta.com>
Date: Thu, 22 Dec 2011 10:51:09 +0000
From: Florent Daigniere <florent.daigniere@...stmatta.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Cc: advisories@...stmatta.com
Subject: [MATTA-2011-001] pfSense x509 Insecure
	Certificate Creation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



	Matta Consulting - Matta Advisory
	    https://www.trustmatta.com

    pfSense x509 Insecure Certificate Creation

Advisory ID: MATTA-2011-001
CVE reference: CVE-2011-4197
Affected platforms: pfSense
Version: 2.0
Date: 2011-October-09
Security risk: High
Vulnerability: x509 Insecure Certificate Creation
Researcher: Florent Daigniere
Vendor Status: Notified / Patch available
Vulnerability Disclosure Policy:
 https://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt
Permanent URL:
 https://www.trustmatta.com/advisories/MATTA-2011-001.txt

=====================================================================
Description:

Certificates issued by the builtin PKI mechanism of pfSense prior
 to version 2.0.1 set the basic constraint CA:true to all
 certificates issued.

=====================================================================
Impact

Any user in possession of a certificate issued by the builtin PKI can
 issue sub-certificates with arbitrary CNs, bypassing potential access
 controls. Specifics depend on what the certificates are being
 used for.

=====================================================================
Versions affected:

Firmware version 2.0 tested.

=====================================================================
Threat mitigation

Revoke existing certificates and re-issue them without the basic
 constraint set.

To verify the purpose of your certificates, you can use the
 following command:

$openssl x509 -in test.crt -noout -purpose|grep CA
SSL client CA : Yes
SSL server CA : Yes
Netscape SSL server CA : Yes
S/MIME signing CA : Yes
S/MIME encryption CA : Yes
CRL signing CA : Yes
Any Purpose CA : Yes
OCSP helper CA : Yes
Time Stamp signing CA : Yes

Patches are available at:
https://github.com/bsdperimeter/pfsense/commit/1379d66f11aaf72982a70287b83e24efcd18898e
https://github.com/bsdperimeter/pfsense/commit/87b4deb2b2dae9013e6aa0fe490d6a5a04a27894

=====================================================================
Credits

This vulnerability was discovered and researched by Florent Daigniere
 from Matta Consulting.

=====================================================================
History

09-10-11 initial discovery
09-10-11 initial attempt to contact the vendor
27-10-11 patch is available
21-12-11 pfSense 2.0.1 is released
22-12-11 this advisory is published

=====================================================================
About Matta

Matta is a privately held company with Headquarters in London, and a
 European office in Amsterdam.   Established in 2001, Matta operates
 in Europe, Asia, the Middle East and North America using a respected
 team of senior consultants.  Matta is an accredited provider of
 Tiger Scheme training; conducts regular research and is the developer
 behind the webcheck application scanner, and colossus network scanner.

https://www.trustmatta.com
https://www.trustmatta.com/training.html
https://www.trustmatta.com/webapp_va.html
https://www.trustmatta.com/network_va.html

=====================================================================
Disclaimer and Copyright

Copyright (c) 2011 Matta Consulting Limited. All rights reserved.
This advisory may be distributed as long as its distribution is
 free-of-charge and proper credit is given.

The information provided in this advisory is provided "as is" without
 warranty of any kind. Matta Consulting disclaims all warranties, either
 express or implied, including the warranties of merchantability and
 fitness for a particular purpose. In no event shall Matta Consulting or
 its suppliers be liable for any damages whatsoever including direct,
 indirect, incidental, consequential, loss of business profits or
 special damages, even if Matta Consulting or its suppliers have been
 advised of the possibility of such damages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBCAAGBQJO8wQwAAoJEKXMIWKFD6qpNpYH/23RLUU9VLKqgnuG3uVISMDr
kyjtoZ7heAVeZBBDX5XN2z0ZpapHCpPvVfR7ghp3J00W62SsUHiHTWyUHEP9FXLa
UMGNNCQXkEmfArSiOdhpSc3N4OpaavOQSi80CVK8TaeqAEtYuelz3Qo6ll9XgU8u
g6+woyi6h2LzxzqZpkn+4vo1j5YIGNSAVwBF+VVwrnuB73yCHjmngqY4ulg/dZ4J
1n4UgvTuwCeGaextDmzMl2ihs68jNcJx7vdtwUHGceXxwcoAHsfffh9LBuV5WyCJ
NAYXt9tWxCuTmOfEIJbzmxwdKcy1gMDVh2b3OlUwiLX2K7rw/kJeWpGayy111M8=
=LKfe
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ