Microsoft Windows Unauthorized Digital Certificates

Original release date: June 04, 2012 Source: US-CERT Alert TA12-156A

Systems Affected

  • All supported versions of Microsoft Windows, including:
  • * Windows XP and Server 2003
  • * Windows Vista and Server 2008
  • * Windows 7 and Server 2008 R2
  • * Windows 8 Consumer Preview
  • * Windows Mobile and Phone
  • Overview
  • X.509 digital certificates issued by the Microsoft Terminal Services licensing certificate authority (CA) can be illegitimately used to sign code. This problem was discovered in the Flame malware. Microsoft has released updates to revoke trust in the affected certificates.

Description

  • Microsoft Security Advisory (2718704) warns of active attacks using illegitimate certificates issued by the the Microsoft Terminal Services licensing certificate authority (CA). There appear to be problems with some combination of weak cryptography and certificate usage configuration. From an MSRC blog post:

We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.

Security Advisory 2718704: Update to Phased Mitigation Strategy What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure.

The following details about the affected certificates were provided in Microsoft Security Advisory (2718704):

Certificate: Microsoft Enforced Licensing Intermediate PCA

  • Issued by: Microsoft Root Authority
  • Thumbprint: 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70

Certificate: Microsoft Enforced Licensing Intermediate PCA

  • Issued by: Microsoft Root Authority
  • Thumbprint: 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08

Certificate: Microsoft Enforced Licensing Registration Authority CA (SHA1)

  • Issued by: Microsoft Root Certificate Authority
  • Thumbprint: fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97

Impact

  • An attacker could obtain a certificate that could be used to illegitimately sign code as Microsoft. The signed code could then be used in a variety of attacks in which the code would appear to be trusted by Windows. An attacker could offer software that appeared to be signed by a valid and trusted Microsoft certificate chain. As noted in an MSRC blog post, "…some components of the [Flame] malware have been signed by certificates that allow software to appear as if it was produced by Microsoft."

Solution

  • It is important to act quickly to revoke trust in the affected certificates. Any certificates issued by the Microsoft Terminal Services licensing certificate authority (CA) could be used for illegitimate purposes and should not be trusted.

Apply updates

  • Apply the appropriate versions of KB2718704 to add the affected certificates to the Untrusted Certificate Store. Updates will reach most users via automatic updates and Windows Server Update Services (WSUS).

Revoke trust in affected certificates Manually add the affected certificates to the Untrusted Certificate Store. The Certificates MMC snap-in and Certutil command can be used on Windows systems.

References

-Ivan

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>