Vulnerability in OpenCA allows attackers to generate unauthorised certificates
Cross-site request forgery (CSRF), also known as session riding, can allow attackers to deactivate firewalls on vulnerable routers or add new accounts to content management systems. Now it appears that the OpenCA open source certification authority also has problems in this respect. By visiting a crafted web page while the OpenCA front end is open in another browser window, a CA administrator could enable an attacker to generate their own certificate in the administrator's context. In a security advisory, Alexander Klink notes that OpenCA requires only one-off authentication: a single cookie is used for the whole session.
Because web forms are not explicitly protected, an attacker can embed specific requests in image tags on a web page and thereby send them to CA via the administrator's browser. Klink includes some examples in his advisory. The attack also requires the attacker to guess some serial numbers, but this is not thought to be difficult. OpenCA 0.9.2.5 is affected. No official update is available, even though the developers received a patch developed by Klink in early January. Klink has now published his advisory and patch independently because according to him the development team has stopped responding. Klink admits that the patch is not fully tested, so users should be circumspect about installing it on live systems.
The patch adds an additional token as a parameter to all internal links and forms. The parameter is created by the server from the SHA-1 hash and the session ID in the cookie. The server checks that each request contains the correct token.
- OpenCA - Cross Site Request Forgery (XSRF), security advisory from Alexander Klink