No Evidence of Breach, Says Certificate Vendor in Midst of Private Key Debacle
Digital certificate vendor Trustico is facing a new crisis after a researcher tweeted about a severe vulnerability in the company’s website. The vulnerability would appear to give root access to – and allow the downloading of – TLS/SSL digital certificates.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The reported flaw comes as Trustico has sought since early February to revoke about 50,000 certificates, or nearly every digital certificate the 12-year-old company has ever issued.
The researcher who sounded the alert about the company’s website is Predrag Cujanović of Belgrade, Serbia. On Thursday, he tweeted about an alleged problem that appeared to be able to pull digital certificates from Trustico’s site.
Hmmm… I can’t validate my Domain certificate via #Trustico, it just ends up sending weird curl requests to my server. Anyone got an idea whats wrong? pic.twitter.com/IkvMHZ8aLJ
— svbl (@svblxyz) March 1, 2018
Other researchers, running with Cujanović’s alert, reported that the website appeared to be running as “root,” and that any commands transferred to the site using the data-transfer tool curl could be executed with root-level privileges.
“The whole server is [completely] under my control,” tweeted one German researcher Tobias Mädel (@Manawyrm).
I am speechless. pic.twitter.com/qZc6TcLUAY
— Manawyrm (@Manawyrm) March 1, 2018
Trustico’s site went offline less than 24 hours after Cujanović’s initial warning.
Reached for comment, Trustico Director Zane Lucas tells Information Security Media Group that the company shut down the affected development tools and web server.
“We haven’t found any evidence of a breach, though we disabled the tools pending a full investigation.”
—Zane Lucas, Trustico
The tools and server help customers “learn the intricacies of an SSL certificate” but is not designed for production use, Lucas writes. The server is not connected with any databases or services containing customer data.
“We haven’t found any evidence of a breach, though we disabled the tools pending a full investigation,” Lucas says.
It’s unclear if Cujanović notified Trustico prior to his tweet. But he claimed that the vulnerability was already public, which was how he found it.
“I only pointed out how bad it is (web service running as root user),” Cujanović tweeted.
Many researchers directly notify organizations about vulnerabilities in products or services so vendors have time to patch and not put people at risk. But researchers are not under any obligation to do so, and many post vulnerability information publicly after feeling slighted or ignored by companies.
Some commenters criticized Cujanović, whose Twitter profile mentions that he’s part of the Open Web Application Security Project’s Serbian chapter. Cujanović clarified that his action had nothing to do with OWASP. Rather, he was curious.
“There was no protection in place, and I didn’t read any sensitive information,” he tweets. “I will leave/step down from [OWASP] because of this actions if needed.”
Invariably, this situation is another headache for Trustico. Earlier this week, DigiCert, which took over Symantec’s TLS business last year, dropped Trustico as a partner after a bitter disagreement.
In early February, Trustico sent a notice to DigiCert asking it to revoke all of the security certificates it had ever issued, which numbers around 50,000. Trustico suspected that the private keys of the digital certificates had been compromised (see Leak of 23,000 Private Keys Triggers Security Scramble).
DigiCert was notified because it now holds Symantec’s root certificates, which are needed to revoke certificates.
DigiCert alleges it asked Trustico for proof that the certificates were compromised, which it did not provide. Under the assumption that the certificates were already compromised, DigiCert asked Trustico to email the private keys, which it did for around 23,000 certificates.
The act of sending private keys over email compromises the certificates since email is considered an insecure channel.
DigiCert subsequently notified the holders of those certificates, which is required under the Baseline Requirements set by the CA/Browser Forum. At least 20,000 of the keys have so far been confirmed as being compromised and in use.
In general, archiving private keys, as Trustico’s CEO has admitted his company was doing, also violates the Baseline Requirements
After DigiCert notified holders of the affect certificates, Trustico accused the company of hijacking the notification process. Trustico also appeared for a while to dispute that the keys were compromised.
Given the confusion over whether the keys had been compromised or not, DigiCert decided to revoke the keys because they’d been sent over email.
It’s unclear how the private keys were initially compromised. Trustico has indicated that the blame for the situation lies with long-running trust issues around keys issued by Symantec.
Google has a phased plan to distrust all Symantec certificates by October. Google has long maintained that Symantec and its subsidiaries such as Thawte, GeoTrust and RapidSSL issued tens of thousands of rogue certificates (see Google Outlines Plan to Reject Symantec’s Digital Certificates).
Obtaining a digital certificate for a domain could allow an attacker to snoop on traffic. Certificate Authorities, known as CAs, and TLS resellers are supposed to maintain high standards because of the security implications of wrongly issued certificates.
Trustico indicated that its request to revoke its certificates was linked to the Symantec-Google issue. But DigiCert maintains that explanation is “incorrect.”
Executive Editor Mathew Schwartz also contributed to this story.