Symantec DV Certificate Issuance System Improperly Handled Domain Email Address Special Characters
1345
05 March 2020
04 February 2016
CLOSED
MEDIUM
5.8
SUMMARY
Symantec domain-validated (DV) SSL/TLS certificate issuance system, e.g. RapidSSL, QuickSSL, did not properly handle special characters in an email address when verifying a domain owner through email addresses found in WHOIS records. This could have potentially resulted in the issuance of a DV certificate for possible fraudulent use.
AFFECTED PRODUCTS
|
Symantec Domain Validation Certificates |
||
CVE |
Affected Version(s) |
Remediation |
|
CVE-2015-6553 |
All |
Addressed in Current Service Offering |
ISSUES
|
CVE-2015-6553 |
|
|
Severity/CVSSv3: |
Medium / 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N |
|
References: Impact: |
Securityfocus: BID 80378 / NVD: CVE-2015-6553 Symantec DV Certificate Issuance System Improperly Handled Domain Email Address Special Characters |
|
Description: |
DV certificates require the lowest level of authentication to validate a SSL/TLS certificate order. Certificate Authorities (CAs) issue DV certificates through a Whois record lookup and an approval email is subsequently sent to the registrant email address found in that record. Symantec DV SSL/TLS certificate issuance system did not properly handle special characters that are allowed, but are not commonly used, in email addresses found in whois records. This could have potentially allowed an individual to use an otherwise legitimate domain name to fraudulently obtain a valid DV SSL/TLS certificate. Such a valid DV certificate could have potentially been used to provide authentication to an otherwise malicious phishing site for example. |
MITIGATION
Symantec Response
Symantec engineers verified this issue and resolved it in the Symantec DV SSL/TLS certificate issuance system. No customer upgrade is required. Existing customer SSL/TLS certificates have been re-validated. Symantec is not aware of exploitation of or adverse impact from this finding.
ACKNOWLEDGEMENTS
Symantec would like to thank Andrew Ayer of SSLMate, https://www.agwa.name/, for reporting this issue and coordinating with us as we worked through it.