[MATTA-2011-001] pfSense x509 Insecure Certificate Creation



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



Matta Consulting - Matta Advisory
https://www.trustmatta.com

pfSense x509 Insecure Certificate Creation

Advisory ID: MATTA-2011-001
CVE reference: CVE-2011-4197
Affected platforms: pfSense
Version: 2.0
Date: 2011-October-09
Security risk: High
Vulnerability: x509 Insecure Certificate Creation
Researcher: Florent Daigniere
Vendor Status: Notified / Patch available
Vulnerability Disclosure Policy:
https://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt
Permanent URL:
https://www.trustmatta.com/advisories/MATTA-2011-001.txt

=====================================================================
Description:

Certificates issued by the builtin PKI mechanism of pfSense prior
to version 2.0.1 set the basic constraint CA:true to all
certificates issued.

=====================================================================
Impact

Any user in possession of a certificate issued by the builtin PKI can
issue sub-certificates with arbitrary CNs, bypassing potential access
controls. Specifics depend on what the certificates are being
used for.

=====================================================================
Versions affected:

Firmware version 2.0 tested.

=====================================================================
Threat mitigation

Revoke existing certificates and re-issue them without the basic
constraint set.

To verify the purpose of your certificates, you can use the
following command:

$openssl x509 -in test.crt -noout -purpose|grep CA
SSL client CA : Yes
SSL server CA : Yes
Netscape SSL server CA : Yes
S/MIME signing CA : Yes
S/MIME encryption CA : Yes
CRL signing CA : Yes
Any Purpose CA : Yes
OCSP helper CA : Yes
Time Stamp signing CA : Yes

Patches are available at:
https://github.com/bsdperimeter/pfsense/commit/1379d66f11aaf72982a70287b83e24efcd18898e
https://github.com/bsdperimeter/pfsense/commit/87b4deb2b2dae9013e6aa0fe490d6a5a04a27894

=====================================================================
Credits

This vulnerability was discovered and researched by Florent Daigniere
from Matta Consulting.

=====================================================================
History

09-10-11 initial discovery
09-10-11 initial attempt to contact the vendor
27-10-11 patch is available
21-12-11 pfSense 2.0.1 is released
22-12-11 this advisory is published

=====================================================================
About Matta

Matta is a privately held company with Headquarters in London, and a
European office in Amsterdam. Established in 2001, Matta operates
in Europe, Asia, the Middle East and North America using a respected
team of senior consultants. Matta is an accredited provider of
Tiger Scheme training; conducts regular research and is the developer
behind the webcheck application scanner, and colossus network scanner.

https://www.trustmatta.com
https://www.trustmatta.com/training.html
https://www.trustmatta.com/webapp_va.html
https://www.trustmatta.com/network_va.html

=====================================================================
Disclaimer and Copyright

Copyright (c) 2011 Matta Consulting Limited. All rights reserved.
This advisory may be distributed as long as its distribution is
free-of-charge and proper credit is given.

The information provided in this advisory is provided "as is" without
warranty of any kind. Matta Consulting disclaims all warranties, either
express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Matta Consulting or
its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or
special damages, even if Matta Consulting or its suppliers have been
advised of the possibility of such damages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBCAAGBQJO8wQwAAoJEKXMIWKFD6qpNpYH/23RLUU9VLKqgnuG3uVISMDr
kyjtoZ7heAVeZBBDX5XN2z0ZpapHCpPvVfR7ghp3J00W62SsUHiHTWyUHEP9FXLa
UMGNNCQXkEmfArSiOdhpSc3N4OpaavOQSi80CVK8TaeqAEtYuelz3Qo6ll9XgU8u
g6+woyi6h2LzxzqZpkn+4vo1j5YIGNSAVwBF+VVwrnuB73yCHjmngqY4ulg/dZ4J
1n4UgvTuwCeGaextDmzMl2ihs68jNcJx7vdtwUHGceXxwcoAHsfffh9LBuV5WyCJ
NAYXt9tWxCuTmOfEIJbzmxwdKcy1gMDVh2b3OlUwiLX2K7rw/kJeWpGayy111M8=
=LKfe
-----END PGP SIGNATURE-----



Relevant Pages