How to remediate – SSL Root Certification Authority Distrusted

1. Introduction

A root Certification Authority certificate was found at the top of the certificate chain that is on a list of distrusted Certification Authorities. This means systems trusting this certificate may incorrectly reject valid connections, or allow connections to malicious sites using certificates from the same untrusted authority. Affected systems are typically web servers, email servers and any service using SSL/TLS for secure communication. Impact on confidentiality, integrity, and availability is likely if legitimate services become inaccessible or compromised connections are allowed.

2. Technical Explanation

The issue occurs when a remote service relies on an SSL certificate chain that includes a root Certification Authority (CA) which has been added to a distrusted list by operating system vendors or browsers. This can happen if the CA is compromised, mismanaged, or no longer meets security standards. An attacker could exploit this by presenting a fraudulent certificate signed by the distrusted root CA, potentially enabling man-in-the-middle attacks or data interception.

• Root cause: The remote service’s SSL/TLS configuration uses a certificate chain with a root CA not considered trustworthy by common trust stores.
• Exploit mechanism: An attacker intercepts encrypted traffic and presents a malicious certificate signed by the distrusted root CA. Systems will incorrectly validate this certificate as valid, allowing the attacker to decrypt and potentially modify data in transit.
• Scope: Any service using SSL/TLS with certificates chained to a distrusted root CA is affected. This includes web servers (HTTPS), email servers (STARTTLS), VPN gateways, and other applications relying on secure connections.

3. Detection and Assessment

Confirming vulnerability involves checking the certificate chain used by the service. A quick check can be done via a browser, while thorough assessment requires examining the server configuration.

• Quick checks: Use a web browser to connect to the affected service (HTTPS). Check the certificate details; look for warnings about untrusted root CAs or certificates issued by unknown authorities.
• Scanning: Nessus plugin ID 10429 can identify distrusted root CA certificates, but results should be verified manually.
• Logs and evidence: Examine SSL/TLS handshake logs on the server (location varies depending on the web server software). Look for errors related to certificate validation failures or untrusted root CAs.

openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -dates

4. Solution / Remediation Steps

Fixing this requires creating new certificates signed by a trusted root CA.

4.1 Preparation

• Ensure you have access to a trusted root CA or can obtain one from a reputable Certificate Authority. A roll back plan involves restoring the original certificates and restarting the service.
• A change window may be required, especially for production systems. Approval from the security team is recommended.

4.2 Implementation

1. Step 1: Obtain a new intermediate certificate signed by a trusted root CA.
2. Step 2: Generate a new subject certificate using the new intermediate certificate.
3. Step 3: Update the server configuration to use the new certificates and key files.
4. Step 4: Restart the affected service.

4.3 Config or Code Example

Before

SSLCertificateFile /etc/ssl/certs/old_certificate.pem
SSLCertificateKeyFile /etc/ssl/private/old_key.pem

After

SSLCertificateFile /etc/ssl/certs/new_certificate.pem
SSLCertificateKeyFile /etc/ssl/private/new_key.pem

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence.

• Practice 2: Regularly review the trust store on systems to ensure it contains only trusted root CAs.

4.5 Automation (Optional)

# Example Ansible snippet - use with caution!
- name: Update SSL certificates
  copy:
    src: /path/to/new_certificate.pem
    dest: /etc/ssl/certs/certificate.pem
    owner: root
    group: root
    mode: 0644
  notify: Restart service

5. Verification / Validation

Confirming the fix involves checking that the new certificate chain is trusted and the service operates correctly.

• Post-fix check: Use a web browser to connect to the affected service (HTTPS). Verify that the certificate details show a trusted root CA.
• Re-test: Re-run the `openssl s_client` command from Section 3 and confirm it displays a trusted issuer and valid dates.
• Smoke test: Test key functionality of the service, such as logging in or accessing protected resources, to ensure it is working correctly with the new certificate.
• Monitoring: Monitor SSL/TLS handshake logs for any errors related to certificate validation. Example query: search for “certificate verify failed”.

openssl s_client -connect example.com:443 | openssl x509 -noout -issuer -dates

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

• Baselines: Update security baselines or policies to include a list of trusted root CAs and requirements for certificate validation.
• Asset and patch process: Implement a regular review cycle for SSL/TLS certificates and trust stores, ensuring they are up-to-date with the latest security standards.

7. Risks, Side Effects, and Roll Back

• Risk or side effect 2: Compatibility issues with older clients may occur if using newer certificate algorithms. Mitigation involves checking client compatibility requirements.
• Roll back: Restore the original SSL/TLS certificates and configuration files from backup. Restart the affected service.

8. References and Resources

• Vendor advisory or bulletin: https://technet.microsoft.com/en-us/library/cc778623