January 06, 2009, 3:32 PM — Recently, a group of international security researchers demonstrated successful attacks against the Public Key Infrastructure (PKI) used to issue security certificates to Web sites when the signatures are generated with the MD5 hash function.
Happily, the vulnerability is simple to identify and easy to remediate.
What is this attack?
HTTPS Web sites send their security certificates to inbound browsers to allow them to validate the identity of the sites to which they are connected. A security certificate contains the Web site’s host name and its public key, and is cryptographically signed by a Certification Authority (CA). Browsers are also configured to trust a list of predefined authorities, each of which is represented by a self-signed certificate. A browser uses these trusted authorities to verify the digital signature of a Web site’s certificate, and can thus avoid phishing attacks.
In this particular attack, the researchers successfully created a valid intermediate CA certificate signed by a trusted authority. They then used it to generate arbitrary valid Web site certificates, allowing them to impersonate HTTPS Web sites, monitor or tamper with data sent to such Web sites, etc. This attack can affect any application using X.509 certificates signed using the popular MD5 mechanism. The hack was to prepare, using techniques to find MD5 collisions, one fake intermediate certificate that would be recognized as having been issued by the real CA (Verisign in this case).
The attack works as follows:
1. The attacker creates a rogue CA using vulnerabilities in MD5.
2. The attacker creates a valid HTTPS certificate for the target Web site.
3. The attacker uses this secure certificate to gain trusted status in mainstream browsers.
4. The attacker executes any number of browser-based attacks to gain sensitive data from end-users.
In practical terms, this means that someone in possession of such a rogue CA can launch what is known as a man-in-the-middle attack and gain access to your bank account by having you log on through their attack tool and recording your user ID and password! Other attacks could include directly tampering with data sent to secure Web sites and executing practically undetectable phishing attacks.
Summary remediation steps
In this situation, the best solution is to eliminate all MD5-based certificates. The summary steps to do so are outlined below.
Protect Web applications:
1. Identify any certificate or certificate chain using MD5. In particular, check for TLS/SSL server or client certificates. Rapid7 NeXpose scans for this vulnerability.
2. Migrate affected certificates from MD5 to SHA-1 or SHA-2.
For more information please visit: www.rapid7.com
