Detecting Compromised SSL Certificates Using Nessus
When Thieves Target SSL Certificates
SSL is one of the most commonly used protocols to provide encryption for a variety of different applications. As such, it has come under great scrutiny over the years. While SSL misconfiguration is commonplace, one of the more recent attacks against SSL is to steal the Certificate Authority (CA) certificate. (In a paper released in July 2012, NIST warned that this type of attack would increase). Access to this certificate allows the attacker to issue valid certificates, and in the case of a code-signing certificate, use it to sign malware. Malware executing with this level of trust increases the chances of successfully being installed on the system. Other CA certificates are used to generate website certificates used by attackers to impersonate secure access to a given website.
Attackers stealing CA certificates has become more common. Don't think of it as stealing a cookie (or three), but more like attackers stealing the recipe to make their own cookies (and not the ones used between web browsers and web applications).
The attacks described above provide great return on investment (ROI) for attackers. By compromising one system and stealing the CA certificate, they can often turn around and compromise several more systems. The attacks tend to remain undetected for some time as they implement valid certificates that do not generate web browser errors. Fortunately, once the compromised certificate has been identified, it can be revoked, making future usage invalid. In addition, the offending certificate can be identified and revoked in your environment.
Finding Compromised Certificates
Nessus has several plugins to detect this type of vulnerability, including:
- Adobe's code-signing certificate was stolen and used by malware. Adobe revoked the compromised certificate and released an update containing new code-signing certificates. Tenable's plugin team released a new plugin to detect the compromised certificates revoked in update APSA12-01 (See plugin: Adobe Software Signed By Revoked Certificate (APSA12-01)).
- The Flame malware used a Microsoft code-signing certificate in order to increase chances of propagation. Microsoft realized the situation, stating that "…certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft." Microsoft revoked a handful of certificates when they issued KB2718704, for which a Nessus plugin was created to detect the revoked certificate (MS KB2718704: Unauthorized Digital Certificates Could Allow Spoofing). A related plugin, Windows Flamer/Skywiper Malware Detection, was also published in the feed to detect the presence of the Flamer malware itself.
Three more SSL CA certificates were compromised, and associated Nessus plugins exist to detect them:
- SSL Certificate Signed with the Compromised Fortigate Key - The X.509 certificate of the remote host was signed by a certificate belonging to a CA found in Fortigate devices.
- SSL Certificate Signed with the Publicly Known Cyberoam Key - The X.509 certificate of the remote host was signed by a certificate belonging to a CA found in Cyberoam devices.
- SSL Certificate Signed with the Revoked DigiNotar Certificate Authority - The X.509 certificate of the remote host was signed by a certificate belonging to a CA called DigiNotar, which was revoked due to a known site compromise.
One further condition related to SSL certificates, can also be detected by Nessus. As the description states, "These signature algorithms are known to be vulnerable to collision attacks. In theory, a determined attacker may be able to leverage this weakness to generate another certificate with the same digital signature, which could allow him to masquerade as the affected service."
- SSL Certificate Signed Using Weak Hashing Algorithm - The remote service uses an SSL certificate that has been signed using a cryptographically-weak hashing algorithm - MD2, MD4, or MD5.
SSL is a protocol based on trust, and when a CA certificate is compromised, the chain of trust is broken. Attacks against SSL can compromise sensitive data and credentials, making them a high-risk threat to your infrastructure. By applying updates from the vendors and certificate authorities, the chain of trust can be repaired. To ensure that all of the updates have been implemented, Nessus and SecurityCenter customers can check for compromised certificates as part of our continuous monitoring platform.