SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)

info Nessus Plugin ID 95631
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

A known CA SSL certificate in the certificate chain has been signed using a weak hashing algorithm.

Description

The remote service uses a known CA certificate in the SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g., MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing the attacker to masquerade as the affected service.

Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm.

Solution

Contact the Certificate Authority to have the certificate reissued.

See Also

https://tools.ietf.org/html/rfc3279

https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2008/961509

Plugin Details

Severity: Info

ID: 95631

File Name: ssl_weak_hash_ca.nasl

Version: 1.12

Type: remote

Family: General

Published: 12/8/2016

Updated: 11/26/2019

Dependencies: ssl_certificate_chain.nasl

Risk Information

CVSS Score Source: manual

VPR

Risk Factor: Medium

Score: 4.4

Vulnerability Information

CPE: cpe:/a:ietf:md5, cpe:/a:ietf:x.509_certificate

Required KB Items: SSL/Chain/KnownCA/WeakHash

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 8/18/2004

Reference Information

CVE: CVE-2004-2761

BID: 11849, 33065

CERT: 836068

CWE: 310