Knowledge Search


×
 

Juniper SIRT Security Notice: Certificate Vulnerabilities Due to MD5 Collisions

  [JSA10394] Show Article Properties


Legacy Advisory Id:
PSN-2009-01-178
Product Affected:
Unspecified
Problem:
A vulnerability related to the use of MD5 hashes in the generation of Certificate Authority (CA) certificates was published on 2008-12-30 at the Chaos Communications Conference in Berlin,Germany.  The presenters demonstrated that for a given certificate which used an MD5 message digest hashing algorithm, they could produce another certificate containing the same MD5 hash value. This contrived certificate with the same MD5 hash value may be used to sign fraudulent certificates which would appear to have been signed by the original certificate's CA although it had never been processed by that CA. These fraudulent certificates may then be deployed by rogue web servers to impersonate legitimate web sites such as banks, on-line stores, or any other site a user might normally believe to be safe for sharing privileged information, in essence subverting the trust placed in the legitimate certificate. The resulting misplaced trust could have major implications for applications, protocols, or services that make use of digitally signed certificates which have a single Certificate Authority based on an MD5 hash in its Public Key Infrastructure (PKI) certificate chain of trust.

No Juniper products or services are directly vulnerable to this issue. However, some customers may be vulnerable due to the presence of vulnerable certificates on their systems or in the CA certificate chain of trust.

Although MD5 is used in many different circumstances, not all implementations are used for authentication or authorization purposes. This particular disclosed flaw applies to certificate generation, and relies on known plaintext included by some certificate authorities in the certificate signing process.  Not all certificate authorities sign certificate requests to generate new CA certificates employing the flawed method discussed in this case. The researchers did identify a known set of such certificate authorities and all of them have taken steps to address this issue, but there may be additional vulnerable Certificate Authorities that have not yet been identified.

It should be noted that many of the uses of MD5 are specified by industry-standard protocols, and thus standards-setting bodies are currently investigating the implications of this latest research announcement. Changes to those uses of MD5 cannot be undertaken immediately and must be coordinated with the industry at large. This and similar theoretical challenges with MD5 have been known for years, and Juniper Networks is accelerating its ongoing deprecation of all of its uses of MD5 as appropriate. This includes changing to SHA-1 (or SHA-2) for those applications which need certificate- and hash-based encryption. Juniper is also evaluating all of our uses of MD5 in applications, services, and functions in our products and services. This investigation will help us ensure that each implementation of MD5 has a migration plan and documented workarounds.

Current analysis indicates that a successful attack using this vulnerability requires concerted, concentrated effort and leaves traces which can lead investigators back to the attacker. This risk assessment may change as more is learned about this vulnerability. Possible remediation and references for further information are offered below. Juniper Networks will update this statement, possibly without notice, if new or substantially different information is discovered.
Solution:
Do not use MD5-based certificates with any Juniper Networks products. Customers should direct their questions about the construction of a certificate to the appropriate certificate authority.

Juniper has released an IDP signature that can be used to determine if someone in the organization is using a application which has a certificate signed using an MD5 hash. The details are at http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=SRN-2008-12-159&actionBtn=Search (SRN-2008-12-159)

HTTP: SSL Certificate Signed With MD5 Hash
Severity: Medium
Recommended Policy: False
Description: This signature detects SSL certificates that have been signed using the MD5 hash algorithm. Known weaknesses in the MD5 algorithm allow for certificates signed with it to be spoofed by attackers. The certificate detected by this signature could potentially be illegitimate.

This provides a method to observe the extent of MD5-signed certificates inside of an organization. The results may help an organization craft a migration plan away from certificates signed using an MD5 hash value to those signed using SHA-1.
Implementation:
Juniper customers who may have used a third-party certificate in the configuration or operation of a Juniper device should check with the appropriate certificate authority to ensure they are not vulnerable to this attack. The vulnerable certificates are stored within each user's browser, and customers should take steps to replace or remove all such vulnerable certificates. Customers should note that an MD5 hash value used in the signature of a certificate at any level in the certificate's chain of trust will indicate that that entire certificate chain is vulnerable, so it is necessary to check each level in the path. Customers should also verify that their own personal certificates (if any) are not vulnerable, as well as their local cache of certificates for web sites stored in the browser.
Related Links:
Risk Level:
Low
Risk Assessment:
This issue is not a vulnerability within any Juniper product, but may affect the secure operation of a Juniper product if a vulnerable certificate is in the CA chain of trust for a certificate a customer is using to connect to or manage a Juniper product.