FreeBSD : nss/ca_root_nss -- fraudulent certificates issued by DigiNotar.nl (aa5bc971-d635-11e0-b3cf-080027ef73ec)
High Nessus Plugin ID 56081
SynopsisThe remote FreeBSD host is missing one or more security-related updates.
DescriptionHeather Adkins, Google's Information Security Manager, reported that Google received
[...] reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it). [...]
VASCO Data Security International Inc., owner of DigiNotar, issued a press statement confirming this incident :
On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. [...] an external security audit concluded that all fraudulently issued certificates were revoked.
Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. [...]
Mozilla, maintainer of the NSS package, from which FreeBSD derived ca_root_nss, stated that they :
revoked our trust in the DigiNotar certificate authority from all Mozilla software. This is not a temporary suspension, it is a complete removal from our trusted root program. Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort.
Three central issues informed our decision :
- Failure to notify. [...]
- The scope of the breach remains unknown. [...]
- The attack is not theoretical.
SolutionUpdate the affected packages.