CVE-2021-40088 in EJBCA
Summary
by MITRE • 08/25/2021
An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints (by verifying that the client certificate has access to the CA and Profiles being enrolled against), this check was not performed when authenticating revocation operations, allowing a known tenant to revoke a certificate belonging to another tenant.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/27/2021
The vulnerability identified as CVE-2021-40088 affects PrimeKey EJBCA versions prior to 7.6.0 and represents a critical authorization bypass flaw within the Certificate Management Protocol (CMP) RA Mode implementation. This security weakness stems from improper authentication validation during certificate revocation operations, creating a scenario where tenants can potentially compromise each other's certificate assets. The issue specifically impacts environments utilizing the RA (Registration Authority) client certificate for both enrollment and revocation processes, fundamentally undermining the multi-tenancy security model that should protect separate organizational entities within the same certificate management infrastructure.
The technical flaw manifests in the inconsistent application of authentication checks between enrollment and revocation operations. During certificate enrollment processes, the system properly verifies that the client certificate has appropriate access rights to the target CA and certificate profiles, effectively enforcing multi-tenancy constraints. However, when processing revocation requests, this crucial validation is omitted, allowing any authenticated tenant to submit revocation requests against certificates belonging to different tenants. This represents a direct violation of the principle of least privilege and demonstrates a classic authorization flaw where the system fails to properly validate the requester's entitlements before executing sensitive operations. The vulnerability aligns with CWE-284, which describes improper access control, and more specifically with CWE-285, addressing insufficient authorization checks.
The operational impact of this vulnerability extends beyond simple data exposure to encompass potential certificate infrastructure compromise and service disruption. An attacker exploiting this flaw could systematically revoke certificates belonging to other tenants, effectively disabling their certificate-based authentication systems and potentially causing widespread service outages. This capability undermines the fundamental trust model of certificate management systems and creates opportunities for denial-of-service attacks against competing organizations sharing the same certificate management platform. The vulnerability particularly affects multi-tenant deployments where multiple organizations rely on a single EJBCA instance for their certificate management needs, making it a significant concern for cloud service providers and managed security vendors.
Mitigation strategies for CVE-2021-40088 require immediate implementation of the vendor-provided patch to EJBCA version 7.6.0 or later, which addresses the authentication inconsistency by enforcing proper access validation during revocation operations. Organizations should also implement additional monitoring and logging controls to detect unauthorized revocation attempts, particularly focusing on correlation between enrollment and revocation activities. Security teams should review and strengthen certificate management policies to ensure that revocation operations require explicit authorization and that audit trails maintain detailed records of all revocation activities. From an ATT&CK framework perspective, this vulnerability maps to T1552.001 (Unsecured Credentials) and T1078.004 (Valid Accounts) as it exploits legitimate authentication mechanisms to perform unauthorized operations. Organizations should also consider implementing network segmentation and access controls to limit direct access to certificate management interfaces, reducing the attack surface and potential impact of such authorization bypasses.