The flaw, discovered yesteryear Chris Byrne, an data safety consultant as well as teacher for Cloud Harmonics, could allow an unauthenticated assailant to holler back other persons' SSL certificates, including populace as well as individual keys, equally good equally to reissue or revoke those certificates.
Even without revoking as well as reissuing a certificate, attackers tin acquit "man-in-the-middle" assault over the secure connections using stolen SSL certs, tricking users into believing they are on a legitimate site when inward fact their SSL traffic is beingness secretly tampered amongst as well as intercepted.
"All y'all had to produce was click a link sent inward [an] email, as well as y'all could holler back a cert, revoke a cert, as well as re-issue a cert," Byrne wrote inward a Facebook post published over the weekend.
Symantec knew of API Flaws Since 2015
Byrne said he kickoff discovered the issues surrounding Symantec certificates inward 2015 as well as agreed to "limited non-disclosure," equally Symantec said the fellowship would bring nearly ii years to create the problems.
"Symantec committed to finding as well as replacing all of the certificates which MAY postulate maintain been impacted, as well as thence supersede them... that they would produce thence within 6 months for every cert they could identify, as well as within ii years for every cert period," Byrne said.The researcher did non let on whatever details to the populace until concluding calendar week when Google disclosed its innovation to gradually distrust Symantec-issued certificates within Google Chrome afterward discovering several issues amongst the fellowship as well as iv of its third-party cert resellers.
"Given Google's sense as well as actions here, it appears that Symantec did non create these issues equally they committed to," Byrne said.
However, Byrne was non able to verify that the vulnerability he constitute were precisely the same number Google engineers disclosed concluding week.
According to Byrne, the certificate asking as well as delivery API Symantec provides to its third-party resellers bring URI-based UIDs "without proper authentication, or inward roughly cases, whatever authentication at all."
Since the API server didn't authenticate users prior to accessing certificate information, whatever potential tech-savvy client could postulate maintain easily intercepted an e-mail containing the API-generated link or took their ain UID as well as modified 1 of its parameters.
This would have, eventually, allowed the malicious assailant to access data on other Symantec customers, identifying high-value targets, as well as perform automated attacks.
Gaining Full Control Over Another User's SSL Certificates
Using the same API vulnerabilities, the assailant could postulate maintain fifty-fifty gained total command over roughly other customer's certificates, which includes obtaining populace as well as individual keys, revoking certs, or reissuing certs amongst novel passphrases.
Currently, neither the researcher nor the fellowship has discovered whatever bear witness to examine such a scenario, only the possibility lone was plenty for Byrne when considering disclosure.
"It would thence hold upwards piddling to compromise DNS for a especial organization or mortal they wanted to attack. At that point, they could pretend to hold upwards that person's bank, their credit carte du jour company, their employer, anyone," Byrne added.
"Perhaps the worst compromise would hold upwards to spoof a spell as well as update server, for an entire company. Then every unmarried machine at that fellowship could hold upwards compromised simultaneously."According to the researcher, Symantec has since fixed roughly of the issues, only non all. We postulate maintain reached out to Symantec, as well as volition update the floor equally shortly equally nosotros postulate heed dorsum from the company.
Symantec has non all the same responded to the Byrne's disclosure, though the fellowship has latterly published ii blog posts accusing Google of "exaggerated as well as misleading" claims the search engine made concluding calendar month regarding its CAs.
UPDATE: Symantec’s Response
Symantec has responded to this API flaws as well as provided the next disputation to The Hacker News:"We postulate maintain looked into Chris Byrne’s enquiry claim as well as could non recreate the problem. We would welcome the proof of concept from the master enquiry inward 2015 equally good equally the most recent research. In addition, nosotros are unaware of whatever real-world scenario of impairment or bear witness of the problem. However, nosotros tin confirm that no individual keys were accessed, equally that is non technically feasible."
"We welcome whatever feedback that helps ameliorate safety for the community. Anyone who would similar to portion farther details nearly real-world scenarios or proof of concept should contact us here."
Share This :
comment 0 Comments
more_vert