Vigil@nce: Cisco IronPort Web Security Appliance, incorrect validation of certificates
April 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
The Cisco IronPort Web Security Appliance product does not
correctly validate certificates of web servers, before generating
a valid certificate for the client.
– Severity: 2/4
– Creation date: 11/04/2012
IMPACTED PRODUCTS
– Cisco IronPort Web
DESCRIPTION OF THE VULNERABILITY
The Cisco IronPort Web Security Appliance product is configured as
a proxy, in order to analyze SSL/TLS sessions. In order to do so,
it is a client of remote SSL servers, so it obtains clear data to
be analyzeed, then it generates a certificate on the fly which is
sent to clients of the proxy. However, certificates of remote SSL
servers are not correctly checked.
Self-signed certificates are processed as certificates signed by
an recognized certification authority. [severity:2/4]
Certificates signed by an unknown root certification authority are
processed as certificates signed by an recognized certification
authority. [severity:2/4]
Certificates which are revoked by CRL/OCSP are processed as
certificates signed by an recognized certification authority.
[severity:2/4; CVE-2012-1316]
Certificates which are signed with an invalid certificate chain
are processed as certificates signed by an recognized
certification authority. [severity:2/4; CVE-2012-1326]
Cached keys are used, even if the certificate of the remote server
changed. [severity:2/4; CVE-2012-0334]
The Cisco IronPort Web Security Appliance product therefore does
not correctly validate certificates of web servers, before
generating a valid certificate for the client. The client can thus
trust this server, and send sensitive data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN