-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Matta Consulting - Matta Advisory https://www.trustmatta.com pfSense x509 Insecure Certificate Creation Advisory ID: MATTA-2011-001 CVE reference: CVE-2011-4197 Affected platforms: pfSense Version: 2.0 Date: 2011-October-09 Security risk: High Vulnerability: x509 Insecure Certificate Creation Researcher: Florent Daigniere Vendor Status: Notified / Patch available Vulnerability Disclosure Policy: https://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt Permanent URL: https://www.trustmatta.com/advisories/MATTA-2011-001.txt ===================================================================== Description: Certificates issued by the builtin PKI mechanism of pfSense prior to version 2.0.1 set the basic constraint CA:true to all certificates issued. ===================================================================== Impact Any user in possession of a certificate issued by the builtin PKI can issue sub-certificates with arbitrary CNs, bypassing potential access controls. Specifics depend on what the certificates are being used for. ===================================================================== Versions affected: Firmware version 2.0 tested. ===================================================================== Threat mitigation Revoke existing certificates and re-issue them without the basic constraint set. To verify the purpose of your certificates, you can use the following command: $openssl x509 -in test.crt -noout -purpose|grep CA SSL client CA : Yes SSL server CA : Yes Netscape SSL server CA : Yes S/MIME signing CA : Yes S/MIME encryption CA : Yes CRL signing CA : Yes Any Purpose CA : Yes OCSP helper CA : Yes Time Stamp signing CA : Yes Patches are available at: https://github.com/bsdperimeter/pfsense/commit/1379d66f11aaf72982a70287b83e24efcd18898e https://github.com/bsdperimeter/pfsense/commit/87b4deb2b2dae9013e6aa0fe490d6a5a04a27894 ===================================================================== Credits This vulnerability was discovered and researched by Florent Daigniere from Matta Consulting. ===================================================================== History 09-10-11 initial discovery 09-10-11 initial attempt to contact the vendor 27-10-11 patch is available 21-12-11 pfSense 2.0.1 is released 22-12-11 this advisory is published ===================================================================== About Matta Matta is a privately held company with Headquarters in London, and a European office in Amsterdam. Established in 2001, Matta operates in Europe, Asia, the Middle East and North America using a respected team of senior consultants. Matta is an accredited provider of Tiger Scheme training; conducts regular research and is the developer behind the webcheck application scanner, and colossus network scanner. https://www.trustmatta.com https://www.trustmatta.com/training.html https://www.trustmatta.com/webapp_va.html https://www.trustmatta.com/network_va.html ===================================================================== Disclaimer and Copyright Copyright (c) 2011 Matta Consulting Limited. All rights reserved. This advisory may be distributed as long as its distribution is free-of-charge and proper credit is given. The information provided in this advisory is provided "as is" without warranty of any kind. Matta Consulting disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Matta Consulting or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Matta Consulting or its suppliers have been advised of the possibility of such damages. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBCAAGBQJO8wQwAAoJEKXMIWKFD6qpNpYH/23RLUU9VLKqgnuG3uVISMDr kyjtoZ7heAVeZBBDX5XN2z0ZpapHCpPvVfR7ghp3J00W62SsUHiHTWyUHEP9FXLa UMGNNCQXkEmfArSiOdhpSc3N4OpaavOQSi80CVK8TaeqAEtYuelz3Qo6ll9XgU8u g6+woyi6h2LzxzqZpkn+4vo1j5YIGNSAVwBF+VVwrnuB73yCHjmngqY4ulg/dZ4J 1n4UgvTuwCeGaextDmzMl2ihs68jNcJx7vdtwUHGceXxwcoAHsfffh9LBuV5WyCJ NAYXt9tWxCuTmOfEIJbzmxwdKcy1gMDVh2b3OlUwiLX2K7rw/kJeWpGayy111M8= =LKfe -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/