VU#111708: Fortigate UTM appliances share the same default CA certificate

Vulnerability Note VU#111708
Fortigate UTM appliances share the same default CA certificate

Original Release date: 02 Nov 2012 | Last revised: 02 Nov 2012

Overview

Fortigate UTM appliances that support SSL/TLS deep packet inspection share the same self-signed Fortigate CA certificate and associated private key across all devices. The private key, which has been compromised, allows attackers to create and sign fake certificates.

Description

Fortigate UTM appliances share the same self-signed Fortigate CA certificate. Companies that use these appliances for deep packet inspection will have most likely deployed the CA certificate to endpoint web browsers so certificate warnings will not be seen by an end-user. Since the associated private key has been compromised (published on the web), an attacker with a man-in-the-middle vantage point on the network will be able to simulate the behavior of the Fortigate appliance and eavesdrop on encrypted communications or spoof websites. Also, the attacker may digitally sign malicious software, spoofing the identity of the publisher.

Impact

Primarily at risk are users who have imported the compromised Fortigate CA certificate into their web browser or operating system. This risk applies equally within the company (connected to a network behind the Fortigate UTM appliance) as anywhere else. An attacker with a man-in-the-middle vantage point on the current network may be able to eavesdrop on encrypted communications. In addition, an attacker may falsify digital signatures such as Authenticode.

Solution

Install a new CA certificate

The vendor recommends the following steps be taken to address this vulnerability.

Admin creates/obtains a CA certificate for which only they have the private key.
Admin installs the CA certificate on FortiGate.
Admin uses “set caname xxx” to select that certificate for SSL deep inspection.
Disable the Fortigate CA certificate

Endpoints should not trust the self-signed Fortigate CA certificate. The following certificate information is for the certificate that should be distrusted:

Subject: “E = support@fortinet.com; CN = FortiGate CA; OU = Certificate Authority; O = Fortinet; L = Sunnyvale; S = California; C = US”;
Thumbprint: 3e 20 7f 9a 6b d9 5c 7c 2b 89 11 67 d3 2f 57 87 2f 76 60 14

The preferrable way to distrust a CA certificate is to import it to the “Untrusted certificates” branch of the system certificate store. To continue the use of SSL/TLS deep packet inspection, a new, unique, CA certificate may be generated and imported into the Fortigate UTM appliance. To prevent users from experiencing certificate errors, that new CA certificate can be imported into web browsers. Chapter 6 of the FortiOS handbook contains instructions on how to replace the default CA certificate.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedFortinet, Inc.Affected07 Sep 201230 Oct 2012If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
4.6
AV:A/AC:H/Au:N/C:C/I:N/A:N

Temporal
3.7
E:F/RL:W/RC:UC

Environmental
3.7
CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

http://docs.fortinet.com/fos40hlp/43/wwhelp/wwhimpl/common/html/wwhelp.htm?context=fgt&file=misc_utm_chapter.61.13.html
http://kb.fortinet.com/kb/viewContent.do?externalId=FD32404
http://www.fortinet.com/solutions/unified_threat_management.html
https://media.torproject.org/misc/2012-07-03-cyberoam-CVE-2012-3372.txt
http://docs.fortinet.com/fos40hlp/43/wwhelp/wwhimpl/js/html/wwhelp.htm

Credit

Thanks to Bitwiper for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs:
CVE-2012-4948

Date Public:
22 Oct 2012

Date First Published:
02 Nov 2012

Date Last Updated:
02 Nov 2012

Document Revision:
19

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

“security” via n8xja in Google Reader 2012-11-02 15:54:56

Vulnerability Note VU#111708
Fortigate UTM appliances share the same default CA certificate

Original Release date: 02 Nov 2012 | Last revised: 02 Nov 2012

Overview

Fortigate UTM appliances that support SSL/TLS deep packet inspection share the same self-signed Fortigate CA certificate and associated private key across all devices. The private key, which has been compromised, allows attackers to create and sign fake certificates.

Description

Fortigate UTM appliances share the same self-signed Fortigate CA certificate. Companies that use these appliances for deep packet inspection will have most likely deployed the CA certificate to endpoint web browsers so certificate warnings will not be seen by an end-user. Since the associated private key has been compromised (published on the web), an attacker with a man-in-the-middle vantage point on the network will be able to simulate the behavior of the Fortigate appliance and eavesdrop on encrypted communications or spoof websites. Also, the attacker may digitally sign malicious software, spoofing the identity of the publisher.

Impact

Primarily at risk are users who have imported the compromised Fortigate CA certificate into their web browser or operating system. This risk applies equally within the company (connected to a network behind the Fortigate UTM appliance) as anywhere else. An attacker with a man-in-the-middle vantage point on the current network may be able to eavesdrop on encrypted communications. In addition, an attacker may falsify digital signatures such as Authenticode.

Solution

Install a new CA certificate

The vendor recommends the following steps be taken to address this vulnerability.
Admin creates/obtains a CA certificate for which only they have the private key.
Admin installs the CA certificate on FortiGate.
Admin uses “set caname xxx” to select that certificate for SSL deep inspection.
Disable the Fortigate CA certificate
Endpoints should not trust the self-signed Fortigate CA certificate. The following certificate information is for the certificate that should be distrusted:
Subject: “E = support@fortinet.com; CN = FortiGate CA; OU = Certificate Authority; O = Fortinet; L = Sunnyvale; S = California; C = US”;
Thumbprint: 3e 20 7f 9a 6b d9 5c 7c 2b 89 11 67 d3 2f 57 87 2f 76 60 14
The preferrable way to distrust a CA certificate is to import it to the “Untrusted certificates” branch of the system certificate store. To continue the use of SSL/TLS deep packet inspection, a new, unique, CA certificate may be generated and imported into the Fortigate UTM appliance. To prevent users from experiencing certificate errors, that new CA certificate can be imported into web browsers. Chapter 6 of the FortiOS handbook contains instructions on how to replace the default CA certificate.

Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdatedFortinet, Inc.Affected07 Sep 201230 Oct 2012If you are a vendor and your product is affected, let
us know.
CVSS Metrics (Learn More)
Group
Score
Vector
Base
4.6
AV:A/AC:H/Au:N/C:C/I:N/A:N
Temporal
3.7
E:F/RL:W/RC:UC
Environmental
3.7
CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
References
http://docs.fortinet.com/fos40hlp/43/wwhelp/wwhimpl/common/html/wwhelp.htm?context=fgt&file=misc_utm_chapter.61.13.html
http://kb.fortinet.com/kb/viewContent.do?externalId=FD32404
http://www.fortinet.com/solutions/unified_threat_management.html
https://media.torproject.org/misc/2012-07-03-cyberoam-CVE-2012-3372.txt
http://docs.fortinet.com/fos40hlp/43/wwhelp/wwhimpl/js/html/wwhelp.htm
Credit

Thanks to Bitwiper for reporting this vulnerability.

This document was written by Jared Allar.

Other Information
CVE IDs:
CVE-2012-4948
Date Public:
22 Oct 2012
Date First Published:
02 Nov 2012
Date Last Updated:
02 Nov 2012
Document Revision:
19
Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#936363: CA ARCserve Backup opcode 0x7a RWSList remote code execution vulnerability

Vulnerability Note VU#936363
CA ARCserve Backup opcode 0x7a RWSList remote code execution vulnerability

Original Release date: 30 Oct 2012 | Last revised: 30 Oct 2012

Overview

The CA ARCserve Backup authentication service, caauthd.exe, is susceptible to a pre-authentication remote code execution vulnerability. Arbitrary code will run with NT AUTHORITY\SYSTEM privileges. CA ARCserve Backup r16 SP1 was reported to be vulnerable.

Description

The Offensive Security advisory states:

By replacing a particular xdr_rwslist object expected in an RPC authentication packet (opcode 0x7a) with another xdr_rwobject, function sub_416E80 will call a non-existent or invalid virtual function (RWSlistCollectables::at) that can be controlled by the attacker. Authentication is not required to trigger thebugand successful exploitation of this vulnerability for the caauthd.exe process will lead to remote code execution with NT AUTHORITY\SYSTEM privileges. Failed exploitation will lead to a denial of service.

Additional details may be found in the full Offensive Security advisory and CA20121018-01: Security Notice for CA ARCserve Backup.

Impact

An unauthenticated attacker may be able to execute remote code with NT AUTHORITY\SYSTEM privileges.

Solution

Apply a Patch

CA ARCserve Backup for Windows r12.5 apply patch RO49917
CA ARCserve Backup for Windows r15 apply patch RO49916
CA ARCserve Backup for Windows r16 apply patch RO49750

If you cannot patch for whatever reason please consider the following workarounds.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks.

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7.

Enable DEP in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts “Understanding DEP as a mitigation technology” part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.

Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedCA TechnologiesAffected11 Jul 201231 Aug 2012If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal
7.8
E:POC/RL:OF/RC:C

Environmental
7.8
CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

http://www.offensive-security.com/vulndev/ca-arcserve-rwslist-remote-code-execution/
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={F9EEA31E-8089-423E-B746-41B5C9DD2AC1}

Credit

Thanks to Matteo Memelli of Offensive Security for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs:
CVE-2012-2971

Date Public:
31 Aug 2012

Date First Published:
30 Oct 2012

Date Last Updated:
30 Oct 2012

Document Revision:
24

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#408099: CA ARCserve Backup authentication service denial-of-service vulnerability

Vulnerability Note VU#408099
CA ARCserve Backup authentication service denial-of-service vulnerability

Original Release date: 30 Oct 2012 | Last revised: 30 Oct 2012

Overview

The CA ARCserve Backup authentication service, caauthd.exe, is susceptible to a denial-of-service vulnerability. CA ARCserve Backup r16 SP1 was reported to be vulnerable.

Description

The Offensive Security advisory states:

By specifying an invalid field size for the encrypted username or password in a crafted RPC packet, the authentication service performs an invalid pointer dereference while trying to decrypt the character string. Authentication is not required to trigger the vulnerability and successful exploitation of this vulnerability for the caauthd.exe process will lead to a denial of service.

Additional details may be found in CA20121018-01: Security Notice for CA ARCserve Backup.

Impact

An unauthenticated remote attacker may be able to trigger a denial-of-service condition.

Solution

Apply a Patch

CA ARCserve Backup for Windows r12.5 apply patch RO49917
CA ARCserve Backup for Windows r15 apply patch RO49916
CA ARCserve Backup for Windows r16 apply patch RO49750

If you cannot patch for whatever reason please consider the following workarounds.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedCA TechnologiesAffected11 Jul 201231 Aug 2012If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
7.8
AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal
6.1
E:POC/RL:OF/RC:C

Environmental
6.1
CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={F9EEA31E-8089-423E-B746-41B5C9DD2AC1}

Credit

Thanks to Matteo Memelli of Offensive Security for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs:
CVE-2012-2972

Date Public:
31 Aug 2012

Date First Published:
30 Oct 2012

Date Last Updated:
30 Oct 2012

Document Revision:
22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#713012: CA Siteminder login.fcc form xss vulnerability

Vulnerability Note VU#713012
CA Siteminder login.fcc form xss vulnerability
OverviewCA Siteminder R6 SP6 CR7, R12 SP3 CR8 and possibly previous versions, are vulnerable to a reflective cross site scripting (XSS) vulnerability.
I. DescriptionAccording to CA’s website: “CA SiteMinder provides a centralized security management foundation that enable…