Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
  home presentation vulnerabilities documentation contact  
subscriber area subscriber area
free access free access
The Vigil@nce team watches vulnerabilities impacting your computers, and then offers solutions, a database and tools to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability

vulnerability alert CVE-2004-2761

SSL: creating a fake certification authority

Synthesis of the vulnerability

An attacker, with important resources, can create a fake intermediary certification authority using a MD5 hash.
Impacted products: ASA, IOS, Cisco Router xx00 Series, Fedora, Notes, Maxthon, IE, Windows (platform), Firefox, SeaMonkey, Mozilla Suite, Netscape Navigator, Opera, RHEL, Unix (platform).
Severity: 1/4.
Creation date: 16/01/2009.
Identifiers: 17341, BID-33065, CSCsw88068, CSCsw90626, CVE-2004-2761, FEDORA-2009-1276, FEDORA-2009-1291, RHSA-2010:0837-01, RHSA-2010:0838-01, VIGILANCE-VUL-8401, VU#836068.

Description of the vulnerability

At the end of 2008 (VIGILANCE-ACTU-1377), using a cluster of 200 game consoles, researchers used a collision on MD5, to create a fake certification authority recognized by all browsers.

Here is a description of the attack:
 - The attacker chooses a Certification Authority (CA) using MD5 signatures (RapidSSL, FreeSSL, TC TrustCenter AG, RSA Data Security, Thawte, verisign.co.jp).
 - The attacker requests to this CA a certificate for a web site. This initial certificate is thus signed with MD5.
 - The attacker alters this certificate to transform it to an Intermediary Certification Authority (IAC), and then uses a MD5 collision to ensure it has the same MD5 as the initial certificate.
 - The attacker uses the IAC to generate a web site certificate (WS).
 - The attacker setups a malicious web site, proposing certificates for the WS and the ACI.
 - The victim connects to the web site. His web browser contains the root certificate of the CA, which authenticates the IAC and then the WS.

No error message is displayed in victim's browser, who can then trust attacker's web site.
Complete Vigil@nce bulletin.... (free access)

Share this bulletin

Delicious Digg Facebook Google bookmarks LinkedIn Mail Reddit StumbleUpon Technorati Twitter 

Computer vulnerabilities tracking service

Vigil@nce provides a software vulnerability bulletin. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The technology watch team tracks security threats targeting the computer system.



















Copyright 1999-2014 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française