CVE-2022-21672 in make-ca
Summary
by MITRE • 01/11/2022
make-ca is a utility to deliver and manage a complete PKI configuration for workstations and servers. Starting with version 0.9 and prior to version 1.10, make-ca misinterprets Mozilla certdata.txt and treats explicitly untrusted certificates like trusted ones, causing those explicitly untrusted certificates trusted by the system. The explicitly untrusted certificates were used by some CAs already hacked. Hostile attackers may perform a MIM attack exploiting them. Everyone using the affected versions of make-ca should upgrade to make-ca-1.10, and run `make-ca -f -g` as the `root` user to regenerate the trusted store immediately. As a workaround, users may delete the untrusted certificates from /etc/pki/tls and /etc/ssl/certs manually (or by a script), but this is not recommended because the manual changes will be overwritten next time running make-ca to update the trusted anchor.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/13/2022
The vulnerability identified as CVE-2022-21672 affects the make-ca utility, a critical component for managing PKI configurations across workstations and servers. This utility serves as the foundation for maintaining trusted certificate authorities within system security infrastructures, making it a prime target for attackers seeking to compromise trust relationships. The flaw exists in versions 0.9 through 1.9.9 of make-ca, where the software fails to properly interpret Mozilla's certdata.txt file, a standard repository of trusted and untrusted certificates used by browsers and operating systems. This misinterpretation creates a dangerous security gap where certificates explicitly marked as untrusted by Mozilla are incorrectly treated as trusted by the system.
The technical nature of this vulnerability stems from a failure in certificate trust evaluation logic within the make-ca utility. When processing the certdata.txt file, the software does not properly distinguish between certificates marked as explicitly untrusted and those that should be trusted. This misclassification occurs during the certificate processing phase where the utility reads Mozilla's certificate database and applies trust policies. The flaw is particularly concerning because Mozilla explicitly marks certain certificates as untrusted due to known security compromises or malicious activities. These compromised certificates are often used by attackers in man-in-the-middle attacks, where they can intercept and modify encrypted communications between clients and servers.
The operational impact of this vulnerability extends beyond simple certificate mismanagement, creating significant risks for system security and network integrity. Attackers can exploit this vulnerability to perform man-in-the-middle attacks by leveraging the compromised certificates that are now incorrectly trusted by affected systems. This allows malicious actors to impersonate legitimate services and decrypt sensitive communications, potentially accessing confidential data, credentials, and private information. The vulnerability affects organizations using affected make-ca versions across their infrastructure, as the trusted certificate store becomes compromised and undermines the entire PKI trust model. The attack surface is particularly broad since make-ca is used across various Linux distributions and security-critical environments where certificate validation is essential for secure communications.
The recommended mitigation strategy involves immediate upgrading to make-ca version 1.10, which includes the necessary fixes to properly interpret Mozilla's certificate trust policies. System administrators must execute the command `make-ca -f -g` as the root user to regenerate the trusted certificate store, ensuring that previously compromised certificates are removed from the trust chain. This remediation process addresses the core issue by rebuilding the certificate trust store with proper trust evaluation. While manual workarounds exist, such as deleting untrusted certificates from specific directories, these approaches are strongly discouraged as they provide temporary solutions that will be overwritten during subsequent make-ca updates. The recommended approach aligns with security best practices outlined in CWE-259 and follows the principles of secure configuration management as referenced in various cybersecurity frameworks including the MITRE ATT&CK framework, which categorizes this vulnerability under credential access and defense evasion techniques. Organizations should prioritize immediate patching to prevent exploitation and maintain the integrity of their cryptographic infrastructure.