Month: October 2014

StartSSL – Free SSL certs!

Thought I´d write a short blog post about public certificates for test environments. By public certificates I mean certificates issued by an external CA and trusted by most platforms.

If you got a test or lab environment and want to publish an external service with SSL, for example ADFS, you need a certificate. This certificate must be trusted by all devices used by consumers of the service. OK, it´s a test environment so you can use you own CA to issue the certificates and import the RootCA certificate on all devices you are testing with. But I guess a lot of you out there isn´t that into certificate that you find that especially interesting. 🙂

So what are your options? You can of course buy a SSL cert from Digicert, Verisign or any other public CA. But I guess you don´t want to spend too much money on your testing. And there is another alternative.

Try StartSSL.com (no, I´m not getting paid for this!). They are using the StarCom Class 1 CA and issues free SSL certificates. And the best part is that the CA is trusted by almost every platform no the market.

StarComm

All you need to do is to create an account and you´re on! There are of course some restrictions. For example you can´t issue SAN (Subject Alt Name) certs for free, the validity period is only 1 year, no EV certs for free for example. But If you just are using it for test/lab your fine!  (And I rebuild my test environment a couple of times a years so I don´t see any real drawbacks!

A comparison chart of their certificates can be found here: http://www.startssl.com/?app=40

Well, that´s all for now folks! 🙂

Poodle – CVE-2014-3566

Time for the next big security flaw! This time Googles Security Team have discovered a vulenerability in SSL 3.0 and the list of targets is huge. All implementations of SSL 3.0 is vulnerable for attacks and the recommended to disable SSL 3.0 as soon as possible. (As a mather of fact, SSL 3.0 is over 15 years old, and for obvious reasons already outdated. But it´s still widely spread for compability reasons.)

But there is a lot of factors that makes an attack less likely. For example a “man-in-the-middle” to exploit, in most cases Java have to be enabled on the client side and if someone tries to attack you the can take control of your sessions, but not steal your password.

A test to see if your browser is vulnerable can be done here: https://www.poodletest.com/

More info:

http://googleonlinesecurity.blogspot.se/2014/10/this-poodle-bites-exploiting-ssl-30.html

https://technet.microsoft.com/en-us/library/security/3009008.aspx

http://blog.erratasec.com/2014/10/some-poodle-notes.html#.VD4xhPl_u-4

Sandworm – CVE-2014-4114

A newly discovered zero-day vulnerability called Sandworm have been published today by iSight (http://www.isightpartners.com/2014/10/cve-2014-4114/). The vulnerability affects all supported versions of Windows and is set to critical.

Attacks using the vulnerability have been seen on Nato, Power and Telecom companies, Western European governments and US academic organizations. All discovered attacks have been traced back to cyber-espionage out of Russia.

A short summary:

  • An exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server
  • Impacting all versions of the Windows operating system from Vista SP2 to Windows 8.1
  • Impacting Windows Server versions 2008 and 2012
  • When exploited, the vulnerability allows an attacker to remotely execute arbitrary code
  • The vulnerability exists because Windows allows the OLE packager (packager.dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.
  • This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands
  • An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it

The properties of the effected file from Windows 8.1

packager

According to information, Microsoft will release a patch for this vulnerability today (MS14-060). And as a part of the security bulletin Microsoft will describe a list of workarounds to the vulnerability. These workarounds should help mitigate the risk of exploitation while the patching process unfolds.

More information can be found at Isights web site: http://www.isightpartners.com/2014/10/cve-2014-4114/