Certificate Authority
Security issues were identified and fixed in mozilla firefox and
thunderbird:
As more information has come to light about the attack on the DigiNotar
Certificate Authority we have improved the protections added in MFSA
2011-34. The main change is to add explicit distrust to the DigiNotar
root certificate and several intermediates. Removing the root as in
our previous fix meant the certificates could be considered valid if
cross-signed by another Certificate Authority. Importantly this list
of distrusted certificates includes the PKIOverheid (PKIGovernment)
Security issues were identified and fixed in mozilla firefox and
thunderbird:
As more information has come to light about the attack on the DigiNotar
Certificate Authority we have improved the protections added in MFSA
2011-34. The main change is to add explicit distrust to the DigiNotar
root certificate and several intermediates. Removing the root as in
our previous fix meant the certificates could be considered valid if
cross-signed by another Certificate Authority. Importantly this list
of distrusted certificates includes the PKIOverheid (PKIGovernment)
cause an interruption in voice services, if exploited. These
vulnerabilities were discovered internally by Cisco. The following
Cisco Unified Communications Manager services are affected:
* Certificate Trust List (CTL) Provider
* Certificate Authority Proxy Function (CAPF)
* Session Initiation Protocol (SIP)
* Simple Network Management Protocol (SNMP) Trap
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of these
Service Console package curl updated to version 7.15.5-2.1.el5_3.5
A cURL is affected by the previously published "null prefix attack",
caused by incorrect handling of NULL characters in X.509
certificates. If an attacker is able to get a carefully-crafted
certificate signed by a trusted Certificate Authority, the attacker
could use the certificate during a man-in-the-middle attack and
potentially confuse cURL into accepting it by mistake.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-2417 to this issue
cause an interruption in voice services, if exploited. These
vulnerabilities were discovered internally by Cisco. The following
Cisco Unified Communications Manager services are affected:
* Certificate Trust List (CTL) Provider
* Certificate Authority Proxy Function (CAPF)
* Session Initiation Protocol (SIP)
* Simple Network Management Protocol (SNMP) Trap
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of these
The ESX Service Console (COS) nspr and nss RPMs are updated to
nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving
a security issues.
A Certificate Authority (CA) issued fraudulent SSL certificates and
Netscape Portable Runtime (NSPR) and Network Security Services (NSS)
contain the built-in tokens of this fraudulent Certificate
Authority. This update renders all SSL certificates signed by the
fraudulent CA as untrusted for all uses.
Details follow:
Richard Moore discovered that NSS would sometimes incorrectly match an SSL
certificate which had a Common Name that used a wildcard followed by a partial
IP address. While it is very unlikely that a Certificate Authority would issue
such a certificate, if an attacker were able to perform a man-in-the-middle
attack, this flaw could be exploited to view sensitive information.
(CVE-2010-3170)
Nelson Bolyard discovered a weakness in the Diffie-Hellman Ephemeral mode
~ This certificate is included primarily for the purposes of feature
demonstration and convenience and is not intended for long-term use in
production networks. Users in a production environment are urged to
obtain and install a certificate issued for their site or domain by a
well-known certificate authority (CA). You can generate a Certificate
Signing Request (CSR) on the controller to submit to a CA. For
information on how to generate a CSR and how to import the CA-signed
certificate into the controller, see "Managing Certificates" on page
517 in Chapter 19, "Configuring Management Access"."
Multiple vulnerabilities was discovered and corrected in postgresql:
NULL Bytes in SSL Certificates can be used to falsify client or server
authentication. This only affects users who have SSL enabled, perform
certificate name validation or client certificate authentication,
and where the Certificate Authority (CA) has been tricked into
issuing invalid certificates. The use of a CA that can be trusted to
always issue valid certificates is recommended to ensure you are not
vulnerable to this issue (CVE-2009-4034).
Privilege escalation via changing session state in an index
Unauthorized File System Access Vulnerability
+--------------------------------------------
An unauthorized file system access vulnerability affects Cisco ASA
5500 Series Adaptive Security Appliances when a security appliance is
configured as a local Certificate Authority (CA). An affected
configuration consists of the following minimum commands:
crypto ca trustpoint <trustpoint name>
keypair <keypair name>
crl configure
Workaround
==========
Do not use pre-generated SSL keys, but use keys that were generated
using a different Certificate Authority.
Resolution
==========
Upgrading to newer versions of the above packages will neither remove
http://www.debian.org/security/ Moritz Muehlenhoff
August 31, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : nss
Vulnerability : comprimised certificate authority
Problem type : local(remote)
Debian-specific: no
CVE ID : not available
Several unauthorised SSL certificates have been found in the wild issued
http://www.debian.org/security/ Thijs Kinkhorst
September 5, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : nss
Vulnerability : comprimised certificate authority
Problem type : local(remote)
Debian-specific: no
CVE ID : not available
Several unauthorised SSL certificates have been found in the wild issued
http://www.debian.org/security/ Raphael Geissert
September 13, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : openssl
Vulnerability : compromised certificate authority
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-1945
Several fraudulent SSL certificates have been found in the wild issued
http://www.debian.org/security/ Thijs Kinkhorst
August 31, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : ca-certificates
Vulnerability : comprimised certificate authority
Problem type : local/remote
Debian-specific: no
Debian Bug : 639744
An unauthorized SSL certificate has been found in the wild issued
Workaround
==========
Do not use pre-generated SSL keys, but use keys that were generated
using a different Certificate Authority.
Resolution
==========
Upgrading to newer versions of the above packages will neither remove
Summary
=======
Cisco Unified Communications Manager, formerly Cisco CallManager,
contains a denial of service (DoS) vulnerability in the Certificate
Authority Proxy Function (CAPF) service. Exploitation of this
vulnerability could cause an interruption in voice services. The CAPF
service is disabled by default.
Cisco has released free software updates that address this
vulnerability. Workarounds available that mitigate this vulnerability
thunderbird:
Google Chrome user alibo encountered an active man in the middle (MITM)
attack on secure SSL connections to Google servers. The fraudulent
certificate was mis-issued by DigiNotar, a Dutch Certificate
Authority. DigiNotar has reported evidence that other fraudulent
certificates were issued and in active use but the full extent of
the compromise is not known.
For the protection of our users Mozilla has removed the DigiNotar
root certificate. Sites using certificates issued by DigiNotar will
Debian-specific: no
CVE ID : CVE-2011-3640
Debian Bug : 647614
This update to the NSS cryptographic libraries revokes the trust in the
"DigiCert Sdn. Bhd" certificate authority. More information can be found
in the Mozilla Security Blog:
http://blog.mozilla.com/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/
This update also fixes an insecure load path for pkcs11.txt configuration
file (CVE-2011-3640).
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via unknown vectors that lead to a "stale pointer."
Several unauthorised SSL certificates have been found in the wild issued
for the DigiNotar Certificate Authority, obtained through a security
compromise with said company.
This update blacklists SSL certificates issued by DigiNotar-controlled
intermediate CAs used by the Dutch PKIoverheid program.
Aruba mobility controllers use X.509 certificates to protect access to the web management interface and to provide secure wireless authentication, such as TLS, TTLS, PEAP, and Aruba-specific Captive Portal. By default the controller uses a built-in certificate that is shared by all deployed units across all customers. Administrators are not forced to generate new, implementation-specific key pairs to replace this shared one.
Since the corresponding private key is not protected in any particular way it is possible for a party with access to one of the controllers to retrieve the private key and abuse it to compromise other implementations.
The latest such certificate is serial number 386929 issued by Equifax Secure Certificate Authority, expiring Jun 30, 2011.
The vulnerability has been identified in ArubaOS version 3.3.1.16 but all previous versions are also likely affected.
Solution:
|
