L-013: Revocation of Sun Microsystems Browser Certificates

PROBLEM:       There has been a compromise of two SUN security certificates.
PLATFORM:      Any system whose web browser has accepted SUN certificates with
               the following numbers:

                  3181 B12D C422 5DAC A340 CF86 2710 ABE6 (Internet Explorer)
                  17:05:FB:13:A2:2F:9A:F3:C1:30:F5:62:6E:12:50:4C  (Netscape)

DAMAGE:        Any system that has accepted the compromised certificates could
               be subject to an attack from malicious applets, applications or
               componenets. The potential of root compromise exists through
               the running of malicious code.
SOLUTION:      Follow the procedure listed in the 'Corrective Action' of the
               CERT advisory.
VULNERABILITY  The Risk is MEDIUM. The vulnerability affects system security
ASSESSMENT:    and is publicly known.

[******  Start CERT Advisory ******]

CERT Advisory CA-2000-19 Revocation of Sun Microsystems Browser Certificates

   Original release date: October 25, 2000 13:39:00 EDT
   Last revised: October 25, 2000 14:12:23 EDT
   Source: Sun Microsystems; CERT/CC

   A complete revision history is at the end of this file.

Systems Affected

   * Systems relying on the validity of the Sun Microsystems
     certificates mentioned below

Overview

   To aid in the wide distribution of essential security information,
   the CERT Coordination Center is forwarding the following
   information from Sun Microsystems. Sun urges you to act on this
   information as soon as possible. Contact information for the Sun
   security team can be found in their bulletin, which is referenced
   in the vendor appendix to this document.

I. Description

   The description below is an excerpt from Sun Security Bulletin 198.
   The original text can be found here.
   ___________________________________________________________________

                  Sun Microsystems, Inc. Security Bulletin

   Bulletin Number: #00198
   Date: October 24, 2000
   Cross-Ref:
   Title: Browser Certificates
   ___________________________________________________________________

   1. Bulletin Topics

      Sun advises of a potential compromise of 2 specific security
      certificates which had limited distribution.  Sun recommends
      that you follow the directions found at
      http://sunsolve5.sun.com/secbull/certificate_howto.html to
      determine if your web browser has accepted any of the
      potentially compromised certificates.

   2. Who is Affected

      A web browser that has accepted a Sun certificate with one the
      following serial numbers:

         3181 B12D C422 5DAC A340 CF86 2710 ABE6 (Internet Explorer)
         17:05:FB:13:A2:2F:9A:F3:C1:30:F5:62:6E:12:50:4C (Netscape)

   3. Understanding the Vulnerability

      Web browsers accept security certificates from trusted
      sources. A specific certificate from Sun may have received
      outside exposure.  Systems that encounter this certificate are
      potentially vulnerable to attack from malicious applets,
      applications or components.

   4. Corrective Action

      Follow the instructions at
      http://sunsolve5.sun.com/secbull/certificate_howto.html to
      determine if your browser has accepted one of the potentially
      compromised certificates. If your browser contains this
      particular certificate, follow the instructions to remove it.

   _________________________________________________________________

   Additional information from the CERT/CC

      Sun Microsystems has revoked the certificates with the following
      serial numbers:

         3181 B12D C422 5DAC A340 CF86 2710 ABE6

         1705 FB13 A22F 9AF3 C130 F562 6E12 504C

      You can confirm the revocation of these certificates at
      https://digitalid.verisign.com/services/server/search.htm

II. Impact

      Users who accept these certificates into their browser may
      inadvertently run malicious code signed by the compromised
      certificates. Any such code would appear to be from Sun
      Microsystems, thus creating a misleading sense of trust.

III. Solution

   Remove the Compromised Certificates

      Sun Microsystems has provided identification information for the
      compromised certificates as well as instructions on how to
      remove them from common browsers. Users should follow Sun's
      instructions to remove these certificates from their browser and
      to prevent possible future addition.

Appendix A. Vendor Information

   Sun Microsystems

      Sun's official copy of their bulletin can be found at:

http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/198&typ e=0&nav=sec.sba

   ______________________________________________________________________

   The CERT Coordination Center thanks Sun Microsystems for bringing this
   issue to our attention.
   ______________________________________________________________________

   Author: The CERT/CC portions of this document were written by
           Jeffrey P. Lanza. Feedback on this advisory is appreciated.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2000-19.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   http://www.cert.org/CERT_PGP.key

   If you prefer to use DES, please call the CERT hotline for more
   information.

Getting security information

   CERT publications and other security information are available from
   our web site

   http://www.cert.org/

   To be added to our mailing list for advisories and bulletins, send
   email to cert-advisory-request@cert.org and include SUBSCRIBE
   your-email-address in the subject of your message.

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2000 Carnegie Mellon University.

   Revision History
October 25, 2000:  Initial release
October 25, 2000:  Updated author section and references to Sun Security Bulletin 198.



[******  End CERT Advisory ******]

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)