
Symantec API exposed certificates, private keys - campuscodi
https://www.facebook.com/cbyrneiv/posts/10155129935452436
======
campuscodi
The text:

Looks like I don't have to stay quiet about this one anymore...

I found out about this problem... and others related to it... back in early
2015. I warned Symantec about it, and worked through some of the issues with
them.

At the end of it, they asked for a chance to fix it... and we both agreed it
would take up to two years to fix, without creating more chaos and causing
more damage... and I said yes.

I agreed to limited non-disclosure of the issue, unless I felt it was
critically necessary, or it would be unethical or irresponsible for me not to
disclose (for example, if there were a threat to national security, or I
discovered a compromise of a client, or any actual criminal compromise arising
from it, etc... etc...).

That said, I informed Krebs and a few others about what I had found... and
also that I agreed to let them fix it, because it would be less damaging to
the world, than exposure would be.

It was one of those issues where there's no GOOD choice... but I looked at the
damage immediate exposure would cause, vs. a slowly rolling fix over two
years...

I talked to some of my friends on the grey and black sides of things, and did
my own checking, to see if there was any chatter about this anywhere, and I
couldn't find any... and I concluded that more harm would be done if I
disclosed.

Fellow security professional Bobby Kuzma helped me investigate and validate
these issues, and he can verify what I state here.

I checked a few months later, and they HAD fixed several of the core
problems... though not all of them... So I waited, and so did those who I had
informed about the problem, and had verified it for themselves...

Unfortunately, late in 2015, my cancer recurred, and spread to my lymph
nodes... and I've been fighting it ever since, so I haven't kept up with the
issue.

So... Here's what the post doesn't mention...

If you purchased a Symantec certificate (or a cert from any of their
associated subsidiaries and partners) through a third party, from at least as
far back as early 2013 until recently; their third party delivery API allowed
those certificates... including private keys... to be retrieved without proper
authentication, or in some cases any authentication at all. Unless the third
party added proper security around it, all you had to do was click a link sent
in email, and you could retrieve a cert, revoke a cert, and re-issue a cert.

Further, even with first party purchase, for some time in some web interfaces,
it was possible for properly authenticated users to edit a URL, and retrieve
the certs (including private keys) of other authenticated users.

When I agreed not to disclose the problem until it was fixed or otherwise
publicly disclosed, Symantec commited to finding and replacing all of the
certificates which MAY have been impacted, and then replace them... that they
would do so within six months for every cert they could identify, and within
two years for every cert period.

Given Googles experience and actions here, it appears that Symantec did not
fix these issues as they committed to. They revoked and reissued many
thousands of certs, but nowhere near all of them. Further, though the
interfaces I knew about were fixed, they apparently did not fix their core API
issues, and thus this critical issue remained... and may still remain... I
haven't attempted to verify again recently... and third party purchased
symantec certs may still be subject to compromise in this manner.

So, at this point, I will publicly disclose what I know about the issue, and
release anyone I shared the details of the issue with to do so as well.

My STRONG recommendation, is that anyone who purchased a Symantec certificate
from a third party, revoke that cert and have it re-issued... either directly
by Symantec, or simply revoking and having another trusted CA issue a
different cert... as soon as they are able to do so.

As to first party certificates... I don't know and have not been able to
validate how extensive the exposure was, through which interfaces, etc... I do
know that they fixed the specific issues that I found in the specific
interfacecs I was able to validate, within six months as they agreed to. That
said... It would be safer to revoke and re-issue, given the problems that
Google themselves identified.

As to end users... I would be extremely wary of any site with a symantec cert
issued before late 2016, and take some extra caution regarding any symantec
cert period.

