FreeBSD : nss/ca_root_nss -- fraudulent certificates issued by (aa5bc971-d635-11e0-b3cf-080027ef73ec)

High Nessus Plugin ID 56081


The remote FreeBSD host is missing one or more security-related updates.


Heather Adkins, Google's Information Security Manager, reported that Google received

[...] reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it). [...]

VASCO Data Security International Inc., owner of DigiNotar, issued a press statement confirming this incident :

On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including [...] an external security audit concluded that all fraudulently issued certificates were revoked.
Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. [...]

Mozilla, maintainer of the NSS package, from which FreeBSD derived ca_root_nss, stated that they :

revoked our trust in the DigiNotar certificate authority from all Mozilla software. This is not a temporary suspension, it is a complete removal from our trusted root program. Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort.

Three central issues informed our decision :

- Failure to notify. [...]

- The scope of the breach remains unknown. [...]

- The attack is not theoretical.


Update the affected packages.

See Also

Plugin Details

Severity: High

ID: 56081

File Name: freebsd_pkg_aa5bc971d63511e0b3cf080027ef73ec.nasl

Version: $Revision: 1.12 $

Type: local

Published: 2011/09/06

Modified: 2015/05/13

Dependencies: 12634

Risk Information

Risk Factor: High

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:ca_root_nss, p-cpe:/a:freebsd:freebsd:firefox, p-cpe:/a:freebsd:freebsd:linux-firefox, p-cpe:/a:freebsd:freebsd:linux-seamonkey, p-cpe:/a:freebsd:freebsd:linux-thunderbird, p-cpe:/a:freebsd:freebsd:nss, p-cpe:/a:freebsd:freebsd:seamonkey, p-cpe:/a:freebsd:freebsd:thunderbird, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2011/09/03

Vulnerability Publication Date: 2011/07/19