search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

NetNanny uses a shared private key and root CA

Vulnerability Note VU#260780

Original Release Date: 2015-04-20 | Last Revised: 2015-05-07

Overview

NetNanny uses a shared private key and root Certificate Authority (CA), making systems broadly vulnerable to HTTPS spoofing.

Description

NetNanny installs a Man-in-the-Middle (MITM) proxy as well as a new trusted root CA certificate. The certificate used by NetNanny is shared among all installations of NetNanny. Furthermore, the private key used to generate the certificate is also shared and may be obtained in plaintext directly from the software. An attacker may use this shared private key to generate new certificates that would be signed by and therefore trusted by NetNanny. An affected user would not be alerted to a false malicious HTTPS website as NetNanny would trust the spoofed certificate. NetNanny has provided more information on this issue on their FAQ.

We have confirmed that NetNanny version 7.2.4.2 is affected. Other versions may also be affected.

For more information on the impact of this issue on SSL inspection, please see Will Dormann's CERT/CC blog post on SSL Inspection.

Impact

An attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering browser certificate warnings in affected systems.

Solution

Update NetNanny

ContentWatch has released NetNanny for Windows version 7.2.5.1 which addresses these issues. Affected users should update as soon as possible.

Disable SSL filtering and remove the certificate

Affected users can disable SSL filtering using the interface, and manually delete the certificate from the operating system's certificate store. This prevents the issue described above while leaving most other features of NetNanny intact.

Uninstall NetNanny

Uninstalling NetNanny removes the root CA certificate from the operating system's certificate store.

Vendor Information

260780
 
Expand all

Content Watch Affected

Notified:  March 27, 2015 Updated: May 05, 2015

Statement Date:   May 05, 2015

Status

Affected

Vendor Statement

ContentWatch was recently alerted to a potential security vulnerability related to Net Nanny's implementation of SSL/HTTPS content filtering. Although there have been no known exploits, ContentWatch took immediate action to resolve these issues in the Net Nanny product.

Two issues were identified, the first was that Net Nanny was using the same root Certificate Authority (CA) and Private Key (PK) across all installations of the product. The second was that Net Nanny was storing the Private Key in memory in a way that it could be captured and potentially exploited by a malicious program or process. A detailed description of the issues can be found at http://www.kb.cert.org/vuls/id/260780.

ContentWatch takes security very seriously and has resolved these issues with the release of Net Nanny for Windows v7.2.5.1.  Specifically, the following technical changes were made to the SSL filtering implementation:

The SSL filtering setup process now generates a unique root CA/PK for each installation of Net Nanny.

Implemented more secure method calls for dealing with secure data in memory. This mitigates the risk of potential capture of the Private Key from memory. The Private Key is now encrypted using strong RSA encryption and is stored in the local database, which is also encrypted.

These changes are included in Net Nanny for Windows v7.2.5.1. Existing installations of Net Nanny for Windows can receive this new version via the update mechanism in the product. Those wishing to download this version immediately can do so here http://www.netnanny.com/downloads/

If you have any questions or concerns, please contact us at support@contentwatch.com.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 6.8 AV:N/AC:L/Au:S/C:C/I:N/A:N
Temporal 6.5 E:F/RL:U/RC:C
Environmental 4.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Imran Ghory for reporting this issue to us.

This document was written by Garret Wassermann.

Other Information

CVE IDs: None
Date Public: 2015-04-20
Date First Published: 2015-04-20
Date Last Updated: 2015-05-07 14:36 UTC
Document Revision: 46

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis