In association with heise online

18 February 2008, 10:51

Vulnerability in OpenCA allows attackers to generate unauthorised certificates

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Cross-site request forgery (CSRF), also known as session riding, can allow attackers to deactivate firewalls on vulnerable routers or add new accounts to content management systems. Now it appears that the OpenCA open source certification authority also has problems in this respect. By visiting a crafted web page while the OpenCA front end is open in another browser window, a CA administrator could enable an attacker to generate their own certificate in the administrator's context. In a security advisory, Alexander Klink notes that OpenCA requires only one-off authentication: a single cookie is used for the whole session.

Because web forms are not explicitly protected, an attacker can embed specific requests in image tags on a web page and thereby send them to CA via the administrator's browser. Klink includes some examples in his advisory. The attack also requires the attacker to guess some serial numbers, but this is not thought to be difficult. OpenCA is affected. No official update is available, even though the developers received a patch developed by Klink in early January. Klink has now published his advisory and patch independently because according to him the development team has stopped responding. Klink admits that the patch is not fully tested, so users should be circumspect about installing it on live systems.

The patch adds an additional token as a parameter to all internal links and forms. The parameter is created by the server from the SHA-1 hash and the session ID in the cookie. The server checks that each request contains the correct token.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit