SA69 : Update to ProxySG browser trusted CCL

1246

03 March 2020

15 February 2012

CLOSED

MEDIUM

CVSS v2: 4.3

SUMMARY

The list of browser trusted CA certificates has been updated to remove untrusted and expired CAs and to add new trusted CAs. An attacker who can obtain a certificate from an untrusted CA that is still trusted by ProxySG can pose as a legitimate OCS to harvest confidential user information and to deliver malware to the client.

AFFECTED PRODUCTS

All versions of ProxySG prior to 6.3 that are configured to intercept SSL traffic and use the default browser-trusted CCL for OCS certificate validation are vulnerable.

Patches

  • ProxySG 6.3 - a fix is available in 6.3.1.1.
  • ProxySG 6.2 - a fix is available in 6.2.8.1.
  • ProxySG 6.1 - a fix will not be provided.  Please upgrade to a later version that has the vulnerability fix.
  • ProxySG 5.5 - a partial fix is available in 5.5.9.1.  The fix is available to customers with a valid BlueTouch Online login. All CA certificates that should be deleted are deleted.  Only a subset of the CA certificates that should be added are added.  No further updates are planned in 5.5 to add the remaining CA certificates.
  • ProxySG 5.4 - a fix is available in 5.4.11.2.
  • ProxySG 5.3 - please update to a later version.

ISSUES

No CVEs are associated with this vulnerability.

When the ProxySG appliance intercepts an HTTPS connection, it terminates the client request and then initiates a new request to the OCS, posing as the client.  It is critical that the ProxySG have an up-to-date list of trusted CA certificates to ensure that the OCS is authenticated and the connection is trustworthy.  The ProxySG appliance uses its built-in browser-trusted CA Certificate List (CCL) for this purpose by default.  The browser-trusted CCL includes most of the well-known CAs trusted by common browsers such as Internet Explorer and Firefox.  An administrator can add and remove CAs from this list.

Using an out-of-date browser-trusted CCL can result in trusting the certificate of an OCS that should not be trusted when proxying a client connection.  An attacker can use this misplaced trust to pose as a legitimate OCS to harvest confidential user information and to deliver malware to the client.  Using an out-of date browser-trusted CCL can also result in failing to trust certificates of an OCS that should be trusted.

In versions prior to 6.3, the ProxySG appliance’s list of browser-trusted CAs is automatically updated only upon SGOS upgrade.  In version 6.3 the Downloadable CA List feature was added to allow the appliance to automatically download an updated browser-trusted list of CAs every seven days by default.  Please refer to the ProxySG Administrator's Guide for more information.

This update to the browser-trusted CCL removes 38 CAs that should not be trusted or that have expired.  It also and adds 170 new CAs that are trusted by most browsers.

The CAs that were deleted are listed below as they are named in the browser trusted CCL.

RSA_Secure_Server_CA
VRSN_Class_3_Pub
Thawte_Server_CA
Thawte_Prem_Srv
DST_RootCA_X2
DST_UPS_RootCA
DST_Baltimore
DST-ABA.ECOM
CWHKT_SecureNet
CWHKT_SecureNetA
Belgacom_E-Trust
Notariado_Nacion
ColegioMexicana
CWHKT_SecureNetB
CWHKT_SecureSGC
DST_Retail
DST_RootCA_X1
GlobalSign_Root
IPS_SERVIDORES
VRSN_Class_1_Pub
Symantec_Root_CA
TC_TrustCenter_Class4
TrustCenter_Timestamping_CA
SecureNet_Class_B
SecureNet_CA_Root
XCert_EZ_DST
SecureNet_CA_SGC_Root
TC_TrustCenter_Class1
SecureNet_CA_Class_A
Servicios_De_Certification
TC_TrustCenter_Class3
beTRUSTed_Root
VRSN_Timestamp
TC_TrustCenter_Class2
Entrust_Premium_Server_2048
Microsoft_Internet_Authority
Microsoft_Secure_Server_Authority
DigiNotar_Root_CA

The CAs that were added are listed below as they are named in the browser trusted CCL.

CertSIGN_ROOT_CA
WellsSecure_Public_Root
ComSign_CA
Starfield_Services_Root_G2
NetLock_Arany_Gold_Fotanusitvany
SECOM_Trust_EV_RootCA1
ComSign_Secured_CA
Juur_SK
Go_Daddy_Root_G2
ACEDICOM_Root
TC_TrustCenter_C3_CAII
VRSN_C3_Public_primary
Staat_Nederlanden_Root_G2
Elektronik_Sertifika_Hizmet_Saglayicisi
VRSN_Universal_Root
Generalitat_Valenciana
GlobalSign_Root_CA
Japanese_Gov_AppCA
CyberTrust_Global
SecureSign_RootCA11
STrust_Auth_Enc_Root_2005_PN
AffirmTrust_Networking
Hongkong_Post_CA1
AC_Raiz_Certicamara_SA
Buypass_C3_CA1
CA_Disig
VRSN_C1_Public_Primary
Certinomis_Autorite_Racine
TC_TrustCenter_Universal_CAI
Thawte_Primary_Root_G3
Autoridad_Firmaprofesional_CIF_A62634068
GeoTrust_Primary_G3
TUBITAK_UEKAE_Kok_Surum3
Starfield_Root_G2
GlobalSign
Microsec_ESzigno_2009
AffirmTrust_Commercial
Certum_Trusted_Network
Chambers_Commerce_Root_2008
Certigna
Microsec_ESzigno_Root
Chunghwa_EPKI_Root
OISTE_WISeKey_Root_GA
CNNIC_ROOT
IGC_A
ATrust_NQual03
TC_TrustCenter_CAIII
EGuven_Hizmet_Saglayicisi
Buypass_C2_CA1
AffirmTrust_Premium
Izenpe_Com
Global_Chambersign_Root_2008
TC_TrustCenter_C2_CAII
Halcom_CA_PO2
ICA_Qualified_09_2009
Thawte_Premium_Server
Common_Policy
ECRaizEstado
Sigov_CA
Starfield_Services_Root
Certeurope_Root_CA2
Gatekeeper_Root
AC_RAIZ_DNIE
VRK_Gov_Root
Entrust_Net_2048
TURKTRUST_Hizmet_Saglayicisi
Actalis_Auth_G1
ANF_Server
UCA_Root
SwissSign_Gold_Root_G3
ACERT_ADVANCED
GLOBALTRUST
Serasa_CAIII
TC_TrustCenter_C4_CAII
ICA_Qualified_Root_Certificate
Macao_Post_ESignTrust_Root
DTRUST_ROOT_C2_2007
TURKTRUST_Islem_Hizmetleri
Correo_Uruguayo_Root
EME_SSI_RCA
Autoridad_Raiz_Economia
Autoridade_Raiz_Brasileira
GPKIRootCA
ETRust_Primary_Qualified
NetLock_Platina_Fotanusitvany
VAS_Latvijas_Pasts_SSI_RCA
Primary_Utility_Root
Cisco_Root_2048
Halcom_CA_FO
KEYNECTIS_ROOT
CESAM
PostSignum_Root_QCZ2
Autoridad_Secretaria_Economia
ACNLB
Serasa_CAI
China_Network_Info_Center_EV
InfoNotary_CSP_Root
TWCA_Root_CA
Sigen_CA
POSTArCA
ECERT_ROOT
ANCERT_Notariales
Autoridade_Brasileira_V1
SSC_ROOT_CA_B
SITHS_CA_V3
Security_Communications_ROOTCA2
Application_CA_G2
POST_Trust_ROOT_CA
ESign_Imperito_Primary_Root
SwissSign_Silver_Root_G3
CCA_India_2007
VI_Registru_Centras_RCSC
Agence_Nationale_Certification_Electronique
Netrust_CA1
Trustis_EVS
CERTICAMARA_SA
SSC_Root_CA_C
Serasa_CAII
Agence_Nationale_Electronique
Autoridad_Estado_Venezolano
ATrust_Qual_02
Verizon_Global_Root
ATrust_NQual_01
COMODO_RSA
ATrust_Qual_03
AdminCA_CD_T01
TURKTRUST_Islem_Hizmetleri_Kasim_2005
Federal_Common_Policy
SwissSign_Platinum_G3
EC_ACC
IpsCA_Global_Root
DTRUST_Qualified_Root_CA1_2007PN
Public_Notary_Root
Admin_Root_CA
DTRUST_Root_C3_2007
Posta_CA_Root
ANCERT_Derecho_Publico
Certipost_ETrust_Normalised
KISA_RootCA1
TrustCenter_Universal_CAII
AC_RAIZ_FNMT_RCM
Symantec_Root_2005
Gov_Korea_Root_CA
SSC_Root_CA_A
KISA_RootCA_3
Certificado_Clave_Principa
TeliaSonera_Root_V1
IPSCA_Main_CA_Root
UCA_Global_Root
ICA_Standard_09_2009
Visa_Info_Delivery_Root
ANCERT_Certificados_CGN
Echowork_Root_CA2
Thawte_Server_CA
USERTrust_RSA
Prnvi_Certifikacni_Autorita_AS
Izenpe_Com_Mediterraneo_Etorbidea3
ATrust_Qual_01
Autoridad_Certificacion_Abogacia
Trustis_FPS_Root
Entrust_Root_G2
Registradores_Espana_Raiz
ComSign_Advanced_Security
MS_Root_2010
Certipost_ETrust_TOP
VRSN_Class_3_Pub_Pri_Cert_Auth_G1
Entrust.net_Certification_Authority
Entrust_Certification_Authority_L1C
VRSN_Class_3_Ext_Val_SSL_CA
Go_Daddy_Sec_CA

MITIGATION

Customers are encouraged to regularly inspect their browser-trusted list of CAs to ensure that they trust only those CAs that they believe should be trusted. Certificates that are expired or that are no longer trusted, including those listed in this advisory, should be removed.

REFERENCES

For more information on the browser-trusted CCL, see the "Managing SSL Traffic" chapter of the SGOS Administration Guide.

REVISION

2015-01-27 SGOS 6.1 will not be fixed. Marked as Final.
2013-10-17 Updated Patches information for SGOS 6.2, 5.4, and 5.3.
2012-05-09 Notification of a partial fix for 5.5.
2012-04-02 Added list of deleted and added CAs.
2012-02-15 Initial public release