Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti
4,925
edits
CA/WoSign Issues: Difference between revisions
Rest of entry for issue X
(Add Issue X) |
(Rest of entry for issue X) |
||
| Line 373: | Line 373: | ||
==Issue X: Unpatched Software (September 2016)== | ==Issue X: Unpatched Software (September 2016)== | ||
The WoSign [https://www.wosign.com/report/wosign_incidents_report_09042016.pdf report], produced in response to other issues | The first WoSign [https://www.wosign.com/report/wosign_incidents_report_09042016.pdf incident report], produced in response to other issues listed on this page, has a screenshot of a dig query from their validation server. The dig program is part of the bind-utils package, and the output of dig appears to show a bind-utils version of 9.7.3-8.P3.el6. The "el6" shows that this is a version built for Red Hat Enterprise Linux 6. This version of bind-utils was released in [https://rhn.redhat.com/errata/RHBA-2011-1697.html December 2011] and so is very out of date. | ||
The next release of this package for EL6 following the one WoSign are using is bind-utils 9.7.3-8.P3.el6_2.1, which was released [https://rhn.redhat.com/errata/RHBA-2011-1836.html a little later in December 2011]. The most recent version is 9.8.2-0.47.rc1.el6, which was released on the [https://rhn.redhat.com/errata/RHBA-2016-0784.html 10th of May 2016]. | The next release of this package for EL6 following the one WoSign are using is bind-utils 9.7.3-8.P3.el6_2.1, which was released [https://rhn.redhat.com/errata/RHBA-2011-1836.html a little later in December 2011]. The most recent version is 9.8.2-0.47.rc1.el6, which was released on the [https://rhn.redhat.com/errata/RHBA-2016-0784.html 10th of May 2016]. There are 19 patched CVEs between the version WoSign is running and the current version. None of these CVEs are especially severe. However, if this software is in fact that far out of date (nearly five years), it raises questions about the overall patch level of their verification server and even their other infrastructure. | ||
There are 19 patched CVEs between the version WoSign is running and the current version. None of these CVEs are especially severe. However, if this software is in fact that far out of date (nearly five years), it raises questions about the overall patch level of their verification server and even their other infrastructure. | |||
WoSign's [https://cert.webtrust.org/SealFile?seal=2019&file=pdf most recent audit] used the "[http://www.webtrust.org/homepage-documents/item79806.pdf SSL Baseline With Network Security - Version 2.0]" criteria. These criteria integrate two CA/Browser Forum Documents - the SSL BRs and the Network & Certificate Systems Security Requirements. | WoSign's [https://cert.webtrust.org/SealFile?seal=2019&file=pdf most recent audit] used the "[http://www.webtrust.org/homepage-documents/item79806.pdf SSL Baseline With Network Security - Version 2.0]" criteria. These criteria integrate two CA/Browser Forum Documents - the SSL BRs and the Network & Certificate Systems Security Requirements. | ||
| Line 386: | Line 384: | ||
Thanks to Paul Pearce for his help with this issue. | Thanks to Paul Pearce for his help with this issue. | ||
===WoSign Response=== | |||
This issue has not yet been formally brought to WoSign's attention. | |||
===Further Comments and Conclusion=== | |||
N/A. | |||
==Cross Signing== | ==Cross Signing== | ||