what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

pfSense x509 Insecure Certificate Creation

pfSense x509 Insecure Certificate Creation
Posted Dec 22, 2011
Authored by Florent Daigniere | Site trustmatta.com

pfSense version 2.0 suffers from an insecure x509 certificate creation vulnerability.

tags | advisory
advisories | CVE-2011-4197
SHA-256 | 3b7b79a0f1b97c9c7fca044603df65f48dd8eadf29bf8a745b42255bc9c6afe4

pfSense x509 Insecure Certificate Creation

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



Matta Consulting - Matta Advisory
https://www.trustmatta.com

pfSense x509 Insecure Certificate Creation

Advisory ID: MATTA-2011-001
CVE reference: CVE-2011-4197
Affected platforms: pfSense
Version: 2.0
Date: 2011-October-09
Security risk: High
Vulnerability: x509 Insecure Certificate Creation
Researcher: Florent Daigniere
Vendor Status: Notified / Patch available
Vulnerability Disclosure Policy:
https://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt
Permanent URL:
https://www.trustmatta.com/advisories/MATTA-2011-001.txt

=====================================================================
Description:

Certificates issued by the builtin PKI mechanism of pfSense prior
to version 2.0.1 set the basic constraint CA:true to all
certificates issued.

=====================================================================
Impact

Any user in possession of a certificate issued by the builtin PKI can
issue sub-certificates with arbitrary CNs, bypassing potential access
controls. Specifics depend on what the certificates are being
used for.

=====================================================================
Versions affected:

Firmware version 2.0 tested.

=====================================================================
Threat mitigation

Revoke existing certificates and re-issue them without the basic
constraint set.

To verify the purpose of your certificates, you can use the
following command:

$openssl x509 -in test.crt -noout -purpose|grep CA
SSL client CA : Yes
SSL server CA : Yes
Netscape SSL server CA : Yes
S/MIME signing CA : Yes
S/MIME encryption CA : Yes
CRL signing CA : Yes
Any Purpose CA : Yes
OCSP helper CA : Yes
Time Stamp signing CA : Yes

Patches are available at:
https://github.com/bsdperimeter/pfsense/commit/1379d66f11aaf72982a70287b83e24efcd18898e
https://github.com/bsdperimeter/pfsense/commit/87b4deb2b2dae9013e6aa0fe490d6a5a04a27894

=====================================================================
Credits

This vulnerability was discovered and researched by Florent Daigniere
from Matta Consulting.

=====================================================================
History

09-10-11 initial discovery
09-10-11 initial attempt to contact the vendor
27-10-11 patch is available
21-12-11 pfSense 2.0.1 is released
22-12-11 this advisory is published

=====================================================================
About Matta

Matta is a privately held company with Headquarters in London, and a
European office in Amsterdam. Established in 2001, Matta operates
in Europe, Asia, the Middle East and North America using a respected
team of senior consultants. Matta is an accredited provider of
Tiger Scheme training; conducts regular research and is the developer
behind the webcheck application scanner, and colossus network scanner.

https://www.trustmatta.com
https://www.trustmatta.com/training.html
https://www.trustmatta.com/webapp_va.html
https://www.trustmatta.com/network_va.html

=====================================================================
Disclaimer and Copyright

Copyright (c) 2011 Matta Consulting Limited. All rights reserved.
This advisory may be distributed as long as its distribution is
free-of-charge and proper credit is given.

The information provided in this advisory is provided "as is" without
warranty of any kind. Matta Consulting disclaims all warranties, either
express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Matta Consulting or
its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or
special damages, even if Matta Consulting or its suppliers have been
advised of the possibility of such damages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBCAAGBQJO8wQwAAoJEKXMIWKFD6qpNpYH/23RLUU9VLKqgnuG3uVISMDr
kyjtoZ7heAVeZBBDX5XN2z0ZpapHCpPvVfR7ghp3J00W62SsUHiHTWyUHEP9FXLa
UMGNNCQXkEmfArSiOdhpSc3N4OpaavOQSi80CVK8TaeqAEtYuelz3Qo6ll9XgU8u
g6+woyi6h2LzxzqZpkn+4vo1j5YIGNSAVwBF+VVwrnuB73yCHjmngqY4ulg/dZ4J
1n4UgvTuwCeGaextDmzMl2ihs68jNcJx7vdtwUHGceXxwcoAHsfffh9LBuV5WyCJ
NAYXt9tWxCuTmOfEIJbzmxwdKcy1gMDVh2b3OlUwiLX2K7rw/kJeWpGayy111M8=
=LKfe
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close