CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
EPSS
Percentile
42.2%
The X.509 certificate of the remote host was signed by a certificate belonging to a Certificate Authority (CA) found in Cyberoam devices. The private key corresponding to the CA was discovered and publicly disclosed, meaning that the remote host’s X.509 certificate cannot be trusted.
#TRUSTED 6f2f50cc457c930d29b155fd72fd7b30f74bef7e0317b509962e89fa529cb6b10e5bcd05ca7332b81eb61b8529c4f74bf8f620da0ba4513332e09501e8eb3f5880911bd53c89a9b6b914eb10eb40343831946adbba2d2a359e69cb5c7138c51bc3dc08053268aa4aec0c103ef19f6d5b5b026a6f6207e50831c9c64c59016e2289e85181316e371d3a9b744d3c7dea9fee6e4e978404a9dbb5e2d4ea6c3aad31e0cd0dc923b4bc31affc2f4a45aee02f018e2fa22c652675885e35114e22f172bb7cb607e03074c7d9d6c66d007404db5cfa5369268604cbef1c7d7a04363ca98f52e4c7963383d8c44b81927c80e7b31d92ecceedb0b8e66baf7884f9ee3c55209bc307e588da0584ecc5c9623a750692d4bccd85486d8b7f68eb34ae1d1433b7070e14cbfd4fcb5d51a5187632f3c986969766495dd56041d14d8f56a2c151e08b08dd3bee45c67517c5c35389a9c93b0728a8ee5f7ad0eb7734e3c436b8e7b5ee078dd3109ab5d462609fc89f8a20da934d98e200b82010f077f0e751d96a3c71b4b8a252dc3ba9224aafff93683a4c8e2401d5b107b596e44786dfc856d5e176d6a317c26ab696af5da42f5ae5e353e8bf0967974827595831e8576375896062ab8064c719a7f2f66d562f1d95abfc3f66f0c4666b7bbe5b5c2441ef51822c32db1e5bd00b9c4995a77ebb4e2ee2453e9b914e1e6903f1171eaf461793bb
#
# (C) Tenable Network Security, Inc.
#
if (NASL_LEVEL < 3208) exit(0);
include("compat.inc");
if (description)
{
script_id(61447);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/10/26");
script_cve_id("CVE-2012-3372");
script_bugtraq_id(54291);
script_name(english:"SSL Certificate Signed with the Publicly Known Cyberoam Key");
script_summary(english:"Checks if the certificate chain is signed by the Cyberoam authority");
script_set_attribute(attribute:"synopsis", value:
"The SSL certificate for this service was signed by a CA whose private
key is public knowledge.");
script_set_attribute(attribute:"description", value:
"The X.509 certificate of the remote host was signed by a certificate
belonging to a Certificate Authority (CA) found in Cyberoam devices.
The private key corresponding to the CA was discovered and publicly
disclosed, meaning that the remote host's X.509 certificate cannot be
trusted.");
script_set_attribute(attribute:"see_also", value:"https://media.torproject.org/misc/2012-07-03-cyberoam-CVE-2012-3372.txt");
# https://blog.torproject.org/security-vulnerability-found-cyberoam-dpi-devices-cve-2012-3372
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ebc9c721");
# http://blog.cyberoam.com/2012/07/cyberoam%E2%80%99s-proactive-steps-in-https-deep-scan-inspection/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?956bd276");
script_set_attribute(attribute:"see_also", value:"http://blog.cyberoam.com/2012/07/ssl-bridging-cyberoam-approach/");
script_set_attribute(attribute:"solution", value:"Configure the device to use a device-specific CA certificate.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2012/06/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/07");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/h:elitecore:cyberoam_unified_threat_management");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"General");
script_copyright(english:"This script is Copyright (C) 2012-2020 Tenable Network Security, Inc.");
script_dependencies("ssl_supported_versions.nasl");
script_require_keys("SSL/Supported");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("x509_func.inc");
get_kb_item_or_exit("SSL/Supported");
# Parse the Cyberoam certificate before forking.
cyberoam = "
MIIFADCCA+igAwIBAgIJAKa1LpKB0iJiMA0GCSqGSIb3DQEBBQUAMIGwMQswCQYD
VQQGEwJJTjEQMA4GA1UECBMHR3VqYXJhdDESMBAGA1UEBxMJQWhtZWRhYmFkMRIw
EAYDVQQKEwlFbGl0ZWNvcmUxJzAlBgNVBAsTHkN5YmVyb2FtIENlcnRpZmljYXRl
IEF1dGhvcml0eTEYMBYGA1UEAxMPQ3liZXJvYW0gU1NMIENBMSQwIgYJKoZIhvcN
AQkBFhVzdXBwb3J0QGVsaXRlY29yZS5jb20wHhcNMTAwNTEwMDc1NjA0WhcNMzYx
MjMxMDc1NjA0WjCBsDELMAkGA1UEBhMCSU4xEDAOBgNVBAgTB0d1amFyYXQxEjAQ
BgNVBAcTCUFobWVkYWJhZDESMBAGA1UEChMJRWxpdGVjb3JlMScwJQYDVQQLEx5D
eWJlcm9hbSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxGDAWBgNVBAMTD0N5YmVyb2Ft
IFNTTCBDQTEkMCIGCSqGSIb3DQEJARYVc3VwcG9ydEBlbGl0ZWNvcmUuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4ax+WmILhtQDBuW1VAY3gAKo
OBGLD34GyKXHBKepRDLgn7n/3sYuXj4D8Og9sjhdBuw+o+jji2IFtZVbMjas6NU2
BIX8dynmtmTn//d6ACALXEmD6JVP2Wqw+/ZxCQaf+JmPz9zX/6r2y8VpB1b9w1pE
jQTUmAh9yexeWiGX+d0/XvkO+pAFCB8pYUYmU0AiXsU2XqZMj09rMw6tgaQkrQPP
2N/op8qwT+4U35UaexCxjntaSqnoT3ulsTB+adlWcI2VP/+Lg43sW+TIe9EVu09Z
W4BBQ2OjlqSHeVtWfeVwZySrgtyQU7FvDKJeMnGNc/vDlax1+9/zXU7wyyPd5QID
AQABo4IBGTCCARUwHQYDVR0OBBYEFMaO7snsjSZzegkSuHPxvq+3ZYjhMIHlBgNV
HSMEgd0wgdqAFMaO7snsjSZzegkSuHPxvq+3ZYjhoYG2pIGzMIGwMQswCQYDVQQG
EwJJTjEQMA4GA1UECBMHR3VqYXJhdDESMBAGA1UEBxMJQWhtZWRhYmFkMRIwEAYD
VQQKEwlFbGl0ZWNvcmUxJzAlBgNVBAsTHkN5YmVyb2FtIENlcnRpZmljYXRlIEF1
dGhvcml0eTEYMBYGA1UEAxMPQ3liZXJvYW0gU1NMIENBMSQwIgYJKoZIhvcNAQkB
FhVzdXBwb3J0QGVsaXRlY29yZS5jb22CCQCmtS6SgdIiYjAMBgNVHRMEBTADAQH/
MA0GCSqGSIb3DQEBBQUAA4IBAQC3Q8fUg8iAUL2Q01o6GXjThzSI1C95qJK3FAlG
q/XZzhJlJfxHa3rslcDrbNkAdKCnthpF07xYBbAvh0cIn0ST98/2sHJDJ4sg3Pqp
HUtNOL3PpNMgdqXtoQgKcm8XtkBOppGrCR4HTcRjf0ZLfWP71S3/Ne1o1U10KrPh
LWGYME+4Uh6lo7OBdZp8C8IjPYT2GSCquh/wWrtSYspfO4HJw/5dXaY7wfTh8P0k
/ENLBUUzENiiDiyhXKEZvCAbX+KWNq2T4w7r+411ycV828cuwZx/MehWQrw2SpjC
3sVdb7GwxgxcyGE6TM39Ht3Jl4scTFmKZrG8A9BwTYQsvm6I";
cyberoam = str_replace(string:cyberoam, find:'\n', replace:"");
cyberoam = base64_decode(str:cyberoam);
cyberoam = parse_der_cert(cert:cyberoam);
cyberoam = cyberoam["tbsCertificate"];
if (isnull(cyberoam))
exit(1, "Failed to parse builtin certificate.");
# Get list of ports that use SSL or StartTLS.
port = get_ssl_ports(fork:TRUE);
if (isnull(port))
exit(1, "The host does not appear to have any SSL-based services.");
# Get the certificate chain from the target.
chain = get_server_cert(
port : port,
encoding : "der",
getchain : TRUE
);
if (isnull(chain) || max_index(chain) <= 0)
exit(1, "Failed to retrieve the certificate chain from port " + port + ".");
chain = parse_cert_chain(chain);
if (isnull(chain))
exit(1, "Failed to parse certificate chain on port " + port + ".");
# The offending certificate is self-signed, meaning that it can only
# occur at the top of the certificate chain. Check that the top
# certificate in the chain was issued by the offending certificate,
# and that its public key matches to avoid other certs with the same
# Distinguished Name.
#
# We know from screenshots of affected SSL connections that the device
# includes its CA certificate as part of the chain.
top = chain[max_index(chain) - 1];
top = top["tbsCertificate"];
if (
!is_signed_by(top, cyberoam) ||
!obj_cmp(top["subjectPublicKeyInfo"], cyberoam["subjectPublicKeyInfo"])
) exit(0, "The certificate chain from port " + port + " is not affected.");
# Report our findings.
report = NULL;
if (report_verbosity > 0)
{
cert = chain[0];
cert = cert["tbsCertificate"];
report =
'\nThe following certificate has been issued by a certificate' +
'\nauthority whose private key is public knowledge :' +
'\n' +
'\n Subject : ' + format_dn(cert["subject"]) +
'\n Issuer : ' + format_dn(cert["issuer"]) +
'\n';
}
security_warning(port:port, extra:report);