You are here

T-711: Fraudulent Google Digital Certificates Could Allow Man-in-the-Middle Attacks

September 7, 2011 - 9:30am

Addthis

PROBLEM:

A fraudulent Google.com digital certificate was issued by a certificate authority. This certificate could allow an unauthenticated, remote attacker to access sensitive user data via a man-in-the-middle attack.

PLATFORM:

Most Microsoft Windows operating systems, DigiNotar is a CA in the Trusted Root Certification Authorities certificate store. Multiple browsers, including Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox could also be configured with the compromised CA as one of their trusted issuers.

ABSTRACT:

Fraudulent Google Digital Certificates Could Allow Man-in-the-Middle Attacks.

reference LINKS:

Cisco IntelliShield ID: 24031
Microsoft Security Advisory: 2607712
DOE-CIRC Tech Bulletin T-706
Mozilla Advisory 2011-34
RHSA-2011:1242-1
RHSA-2011:1243-1
RHSA-2011:1244-1
RHSA-2011:1248-1

IMPACT ASSESSMENT:

High

Discussion:

This SSL certificate was issued by a trusted root certificate authority (CA), DigiNotar. The fraudulent digital certificate was deemed to be active for the period between July 10, 2011, and July 9, 2013, and was signed with *.google.com as its commonName. The commonName field identifies the owner of the certificate and cannot be changed without invalidating the certificate. The use of such an entry in the commonName field indicates validity for any of Google's domains that use SSL.

On most Microsoft Windows operating systems, DigiNotar is a CA in the Trusted Root Certification Authorities certificate store. Multiple browsers, including Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox could also be configured with the compromised CA as one of their trusted issuers. Because of this configuration, users on compromised networks could be redirected to a resource that could use the fraudulent certificate, and a malicious resource could be mistaken as a legitimate one. This could allow an unauthenticated, remote attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

Impact: (Alert History)

Version 3, September 2, 2011, 10:43 AM:
Red Hat has released an additional security advisory and updated packages to address the fraudulent Google digital certificates man-in-the-middle attacks vulnerability.
Version 2, September 1, 2011, 8:38 AM:
Mozilla has released an additional security advisory to address the fraudulent Google digital certificates man-in-the-middle attacks vulnerability. Red Hat has also released security advisories and updated packages to address this vulnerability.
Version 1, August 30, 2011, 2:01 PM:
A fraudulent Google.com digital certificate was issued that could allow an unauthenticated, remote attacker to access sensitive user data via a man-in-the-middle attack. This certificate has since been revoked.

Solution:

Google Chrome users could be protected from such vulnerabilities because of the certificate pinning feature.
Administrators and users may consider invalidating the compromised CA, DigiNotar, in their list of trusted certificates as a mitigation method.
CentOS packages can be updated using the up2date or yum command.

Addthis