what you don't know can hurt you

Technical Cyber Security Alert 2012-156A

Technical Cyber Security Alert 2012-156A
Posted Jun 5, 2012
Authored by US-CERT | Site us-cert.gov

Technical Cyber Security Alert 2012-156A - X.509 digital certificates issued by the Microsoft Terminal Services licensing certificate authority (CA) can be illegitimately used to sign code. This problem was discovered in the Flame malware. Microsoft has released updates to revoke trust in the affected certificates.

tags | advisory
MD5 | 580a5294899e774369e7c71deccb7243

Technical Cyber Security Alert 2012-156A

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA12-156A


Microsoft Windows Unauthorized Digital Certificates

Original release date: June 04, 2012
Last revised: --
Source: US-CERT


Systems Affected

All supported versions of Microsoft Windows, including:

* Windows XP and Server 2003
* Windows Vista and Server 2008
* Windows 7 and Server 2008 R2
* Windows 8 Consumer Preview
* Windows Mobile and Phone


Overview

X.509 digital certificates issued by the Microsoft Terminal
Services licensing certificate authority (CA) can be illegitimately
used to sign code. This problem was discovered in the Flame
malware. Microsoft has released updates to revoke trust in the
affected certificates.


Description

Microsoft Security Advisory (2718704) warns of active attacks using
illegitimate certificates issued by the the Microsoft Terminal
Services licensing certificate authority (CA). There appear to be
problems with some combination of weak cryptography and certificate
usage configuration. From an MSRC blog post:

We identified that an older cryptography algorithm could be
exploited and then be used to sign code as if it originated from
Microsoft. Specifically, our Terminal Server Licensing Service,
which allowed customers to authorize Remote Desktop services in
their enterprise, used that older algorithm and provided
certificates with the ability to sign code, thus permitting code
to be signed as if it came from Microsoft.

From another MSRC blog post:

What we found is that certificates issued by our Terminal
Services licensing certification authority, which are intended
to only be used for license server verification, could also be
used to sign code as Microsoft. Specifically, when an enterprise
customer requests a Terminal Services activation license, the
certificate issued by Microsoft in response to the request
allows code signing without accessing Microsofts internal PKI
infrastructure.

The following details about the affected certificates were provided
in Microsoft Security Advisory (2718704):

Certificate: Microsoft Enforced Licensing Intermediate PCA
Issued by: Microsoft Root Authority
Thumbprint: 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c \
52 b2 4e 70

Certificate: Microsoft Enforced Licensing Intermediate PCA
Issued by: Microsoft Root Authority
Thumbprint: 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 \
b5 f8 dc 08

Certificate: Microsoft Enforced Licensing Registration Authority
CA (SHA1)
Issued by: Microsoft Root Certificate Authority
Thumbprint: fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 \
d7 4d ee 97


Impact

An attacker could obtain a certificate that could be used to
illegitimately sign code as Microsoft. The signed code could then
be used in a variety of attacks in which the code would appear to
be trusted by Windows.

An attacker could offer software that appeared to be signed by a
valid and trusted Microsoft certificate chain. As noted in an MSRC
blog post, "...some components of the [Flame] malware have been
signed by certificates that allow software to appear as if it was
produced by Microsoft."


Solution

It is important to act quickly to revoke trust in the affected
certificates. Any certificates issued by the Microsoft Terminal
Services licensing certificate authority (CA) could be used for
illegitimate purposes and should not be trusted.

Apply updates

Apply the appropriate versions of KB2718704 to add the affected
certificates to the Untrusted Certificate Store. Updates will
reach most users via automatic updates and Windows Server Update
Services (WSUS).

Revoke trust in affected certificates

Manually add the affected certificates to the Untrusted
Certificate Store. The Certifcates MMC snap-in and Certutil
command can be used on Windows systems.


References

* US-CERT Current Activity: Unauthorized Microsoft Digital
Certificates -
<https://www.us-cert.gov/current/#microsoft_unauthorized_digital_certificates>

* Microsoft Security Advisory (2718704) -
<https://technet.microsoft.com/en-us/security/advisory/2718704>

* Unauthorized digital certificates could allow spoofing -
<http://support.microsoft.com/kb/2718704>

* Microsoft certification authority signing certificates added to the
Untrusted Certificate Store -
<https://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx>

* Microsoft releases Security Advisory 2718704 -
<https://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx>

* Windows Server Update Services -
<http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx>

* Certutil -
<http://technet.microsoft.com/en-us/library/cc732443%28v=ws.10%29.aspx>

* How to: View Certificates with the MMC Snap-in -
<http://msdn.microsoft.com/en-us/library/ms788967.aspx>


Revision History

June 04, 2012: Initial release

____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA12-156A Feedback INFO#461124" in
the subject.
____________________________________________________________________

Produced by US-CERT, a government organization.
____________________________________________________________________

This product is provided subject to the Notification as indicated here:
http://www.us-cert.gov/legal.html#notify

This document can also be found at
http://www.us-cert.gov/cas/techalerts/TA12-156A.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBT80kYHdnhE8Qi3ZhAQItEQf+LtKD3ZFVSQXiS0S6qId/oXVl/+mMdIqo
uI71CA9Pkm/fKhMW17nOJvKZ+51jPRsWMfEJ4WVZJGvIos26GRkiRmwErfXGf4gn
XI4xFt4J5VEuKRJbYeey5JtKUywMEb2urxceooMOhbbi1Y0+iAVY4QnRm0jwxCgM
ojl6bNbEK8Pb2mGD8XQCwRSuwbKgifaIKlbyuNMZvNEvSvCS9Fpmw8pJzSYbZMr8
gKj4G2us/1C1dlNcje3AGNH2LAsvfHg9IagK60XhtX6tuZQ7x+EVRzxYuuAm14Ra
RgVm8QsTQJ3TmqG/a3xH0NDb0vEmZd7cWR30GgYEuwtYc7LYTqVORQ==
=cMSk
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    13 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    29 Files
  • 21
    Jan 21st
    12 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close