Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: More Diginotar news - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More Diginotar news

From the Newsdesk of "Stories that won't die", there's some new information regarding the now infamous DigiNotar Certificates.  Apparently Microsoft's latest update didn't kill all of the certificates, and I quote from http://support.microsoft.com/kb/2616676/us :

 

We are investigating an issue with update 2616676 for all Windows XP-based and Windows Server 2003-based systems.
The versions of update 2616676 for Windows XP and for Windows Server 2003 contain only the latest six digital certificates that are cross-signed by GTE and Entrust. These versions of the update do not contain the digital certificates that were included in update 2607712.

 

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Joel

454 Posts
ISC Handler
My apologies if this is posted twice.

Apart from what you mention, there are at least three more DigiNotar root certificates that need to be blacklisted. This applies to *all* operating system versions!

However this may be a minor issue as one of those certificates has been expired, and the other two root certs may have been issued for a relatively short period of time and/or mostly in the Netherlands (aka Holland). On the other hand, those other two certs contain the same "Subject" and public key as the "DigiNotar Root CA" certificate that _should_ have been backlisted by update 2616676, and hence are full replacements! In other words, if you happen to have any of those certs in the "Trusted Root Certification Authorities" certificate store on your PC/server, that computer will still accept SSL/TLS connections with websites such as [1] (a DigiNotar site). E.g. if visiting this site [1] does not cause a certificate errror, you're at risk!

There's an extensive writeup (mostly in English) regarding Microsoft's DigiNotar certificate revocations here: [2]

Note that our government stated [3] that the last "black tuesday" update didn't cause any major problems, as they were apparently unaware of the issue you describe above, and the issue I add to that. And this could be major, as XP and W2k3 are still widely in use by Dutch governmental and municipal organizations, and the mostly used DigiNotar root certificates have not yet been blackisted on the operating systems mentioned. Furthermore the root certificates that are not blackisted by any Microsoft OS version may have been distributed by Dutch organizations (possibly healthcare) and hence may be present on quite a lot Dutch goverment-like computers.

[1] https://auth.pass.nl/
[2] http://www.security.nl/artikel/38496/
[3] http://www.rijksoverheid.nl/documenten-en-publicaties/persberichten/2011/09/16/ernstige-verstoringen-door-diginotar-inbraak-voorkomen.html
Erik van Straten

122 Posts
I can confirm that my FireFox 6.0.2 still had the certs listed as trustworthy on my work PC (Vista)... I manually removed them, along with anything with DigiNotar in its name.
Erik van Straten
4 Posts
Microsoft Security Advisory (2607712)
Fraudulent Digital Certificates Could Allow Spoofing
- https://technet.microsoft.com/en-us/security/advisory/2607712
• V5.0 (September 19, 2011): Revised to announce the re-release of the KB2616676 update. See the Update FAQ in this advisory for more information.
- http://support.microsoft.com/kb/2616676
September 19, 2011 - Revision: 4.0
.
Jack

160 Posts

Sign Up for Free or Log In to start participating in the conversation!