FreeBSD : nss/ca_root_nss -- fraudulent certificates issued by DigiNotar.nl (aa5bc971-d635-11e0-b3cf-080027ef73ec)

This script is Copyright (C) 2011-2015 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Heather Adkins, Google's Information Security Manager, reported that
Google received

[...] reports of attempted SSL man-in-the-middle (MITM) attacks
against Google users, whereby someone tried to get between them and
encrypted Google services. The people affected were primarily located
in Iran. The attacker used a fraudulent SSL certificate issued by
DigiNotar, a root certificate authority that should not issue
certificates for Google (and has since revoked it). [...]

VASCO Data Security International Inc., owner of DigiNotar, issued a
press statement confirming this incident :

On July 19th 2011, DigiNotar detected an intrusion into its
Certificate Authority (CA) infrastructure, which resulted in the
fraudulent issuance of public key certificate requests for a number of
domains, including Google.com. [...] an external security audit
concluded that all fraudulently issued certificates were revoked.
Recently, it was discovered that at least one fraudulent certificate
had not been revoked at the time. [...]

Mozilla, maintainer of the NSS package, from which FreeBSD derived
ca_root_nss, stated that they :

revoked our trust in the DigiNotar certificate authority from all
Mozilla software. This is not a temporary suspension, it is a complete
removal from our trusted root program. Complete revocation of trust is
a decision we treat with careful consideration, and employ as a last
resort.

Three central issues informed our decision :

- Failure to notify. [...]

- The scope of the breach remains unknown. [...]

- The attack is not theoretical.

See also :

http://www.nessus.org/u?baa49230
http://www.mozilla.org/security/announce/2011/mfsa2011-34.html
http://www.nessus.org/u?f3fc8e9a
http://www.nessus.org/u?5ea6c31a

Solution :

Update the affected packages.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 56081 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now