CERT-In Advisory
CIAD-2013-0087
Unauthorized Security Certificate Vulnerability
Original Issue Date: December 10, 2013
Severity Rating: High
Systems Affected
- Windows XP SP 3
- Windows XP Professional x64 Edition SP 2
- Windows Server 2003 SP 2
- Windows Server 2003 x64 Edition SP 2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Vista SP 2
- Windows Vista x64 Edition SP 2
- Windows Server 2008 for 32-bit Systems SP 2
- Windows Server 2008 for x64-based Systems SP 2
- Windows Server 2008 for Itanium-based Systems SP 2
- Windows 7 for 32-bit Systems SP 1
- Windows 7 for x64-based Systems SP 1
- Windows Server 2008 R2 for x64-based Systems SP 1
- Windows Server 2008 R2 for Itanium-based Systems SP 1
- Windows 8 for 32-bit Systems
- Windows 8 for x64-based Systems
- Windows 8.1 for 32-bit Systems
- Windows 8.1 for x64-based Systems
- Windows RT
- Windows RT 8.1
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2008 for 32-bit Systems SP 2 (Server Core installation)
- Windows Server 2008 for x64-based Systems SP 2 (Server Core installation)
- Windows Server 2008 R2 for x64-based Systems (Server Core installation)
- Windows Server 2012 (Server Core installation)
- Windows Server 2012 R2 (Server Core installation)
- Mozilla Firefox prior to 26
- Mozilla Firefox ESR prior to 24
- Opera prior to 18
Overview
An improper subordinate of root-trusted certificate authority (DG Trésor), France, falsely issued certificates, which could be exploited by remote attackers to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
Description
The Directorate General of the Treasury (DG Trésor), subordinated to the Government of France CA (ANSSI), a CA present in the Trusted Root Certification Authorities Store has improperly issued a subordinate CA certificate.
The fraudulent CA certificate has been misused to issue SSL certificates for multiple sites, including Google web properties.
A remote attacker could use these SSL certificates to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties.
Workaround
Apply appropriate updates as released by respective vendors. For more details refer Vendor Information section.
Vendor Information
Microsoft
http://technet.microsoft.com/en-us/security/advisory/2916652
Mozilla
https://blog.mozilla.org/security/2013/12/09/revoking-trust-in-one-anssi-certificate/
Opera
http://blogs.opera.com/security/2013/12/certificate-update/
References
Microsoft
http://technet.microsoft.com/en-us/security/advisory/2916652
http://support.microsoft.com/kb/2677070
Mozilla
https://blog.mozilla.org/security/2013/12/09/revoking-trust-in-one-anssi-certificate/
Opera
http://blogs.opera.com/security/2013/12/certificate-update/
Google
http://googleonlinesecurity.blogspot.in/2013/12/further-improving-digital-certificate.html
Security Tracker
http://securitytracker.com/id/1029445
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|