search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Internet Explorer incorrectly validates certificates when CRL checking is enabled

Vulnerability Note VU#399087

Original Release Date: 2001-05-17 | Last Revised: 2001-06-26

Overview

Microsoft Internet Explorer (IE) fails to properly validate certificates when CRL checking is enabled. As a result, sensitive information may be exposed.

Description

Digital certificates are small documents used to authenticate and encrypt information transmitted over the Internet. One very common use of digital certificates is to secure electronic commerce transactions through SSL (Secure Socket Layer). The kind of certificates used in e-commerce transactions are called X.509 certificates. The X.509 certificates help a web browser and the user ensure that sensitive information transmitted over the Internet is readable only by the intended recipient. This requires verifying the recipient's identity and encrypting data so that only the recipient can decrypt it.

The "padlock" icon used by Internet Explorer (as well as Netscape and other browsers) is an indication that an SSL-secured transaction has been established to someone. It does not necessarily indicate to whom the connection has been established. Internet Explorer (and other browsers) take steps to warn users when DNS-based information conflicts with the strongly authenticated information contained in the X.509 certificates used in SSL transactions. These warnings are supplemental information to help users decide if they're connecting to whom they think they are connecting. These steps and warnings are designed to protect against attacks on the DNS information.

When IE is configured to automatically check a certificate revocation list (CRL) for revoked certificates, it fails to perform other checks to ensure that the certificate is valid. These checks include

    • checking to ensure the Certificate Authority (CA) that signed the certificate is trusted
    • checking the data on the certificate to ensure it has not expired
    • checking that the server name matches the name on the certificate

Failure to perform these checks provides a limited opportunity to an attacker to spoof a trusted web site. That is, an intruder may be able to lure or coerce a victim to visit a malicious web site and convince the victim that he or she is communicating with a trusted web site that has been authenticated with strong cryptography.

This vulnerability is similar in scope and effect to the problems discussed in CA-2000-05, CA-2000-08, and CA-2000-10. The CERT/CC has not received any reports of incidents involving those vulnerabilities. However, the typically sensitive nature of SSL-secured transactions magnifies the risk presented by this vulnerability. Furthermore, SSL-secured transactions are often assumed to be extremely safe because of the high degree of confidence in the underlying cryptographic protocols. While this vulnerability does not in any way represent a problem in the security of the underlying cryptographic protocols, it does highlight the need to consider implementation security in addition to protocol and cryptographic security when evaluating the overall security of any software system.

Finally, we disagree somewhat with Microsoft's claim that "DNS poisoning attacks are fraught with problems for an attacker." In our experience, attacks against name servers are rather common. See for example CA-2001-02 and CA-2000-03.

Impact

Attackers may be able to mislead people into exposing confidential information that the victim intends to provide to a trusted site.

Solution

Apply a patch as described in MS-01-027.

Vendor Information

399087
Expand all

Microsoft

Updated:  May 17, 2001

Status

  Vulnerable

Vendor Statement

See http://www.microsoft.com/TechNet/security/bulletin/MS01-027.asp

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Our thanks to Microsoft for the information contained in their advisory.

This document was written by Shawn V. Hernan.

Other Information

CVE IDs: CVE-2001-0338
Severity Metric: 1.13
Date Public: 2001-05-17
Date First Published: 2001-05-17
Date Last Updated: 2001-06-26 03:18 UTC
Document Revision: 5

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.