Emergency Windows update nukes credentials minted by Terminal Services bug.
by Dan Goodin - June 4 2012, 3:59am EDT
Microsoft released an emergency Windows update on Sunday after revealing that one of its trusted digital signatures was being abused to certify the validity of the Flame malware that has infected computers in Iran and other Middle Eastern Countries.
The compromise exploited weaknesses in Terminal Server, a service many enterprises use to provide remote access to end-user computers. By targeting an undisclosed encryption algorithm Microsoft used to issue licenses for the service, attackers were able to create rogue intermediate certificate authorities that contained the imprimatur of Microsoft's own root authority certificate—an extremely sensitive cryptographic seal. Rogue intermediate certificate authorities that contained the stamp were then able to trick administrators and end users into trusting various Flame components by falsely certifying they were produced by Microsoft.
"We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft," Microsoft Security Response Center Senior Director Mike Reavey wrote in a blog post published Sunday night. "We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft."
The exploit, which abused a series of intermediate authorities that were ultimately signed by Microsoft's root authority, is the latest coup for Flame, a highly sophisticated piece of espionage malware that came to light last Monday. Flame's 20-megabyte size, it's extensive menu of sophisticated spying capabilities, and its focus on computers in Iran have led researchers from Kaspersky Lab, Symantec, and other security firms to conclude it was sponsored by a wealthy nation-state. Microsoft's disclosure follows Friday's revelation that the George W. Bush and Obama administrations developed and deployed Stuxnet, the highly advanced software used to set back the Iranian nuclear program by sabotaging uranium centrifuges at Iran's Natanz refining facility.
The emergency update released by Microsoft blacklists three intermediate certificate authorities tied to Microsoft's root authority. All versions of Windows that have not applied the new patch can be tricked by the Flame attackers into displaying cryptographically generated assurances that the malicious wares were produced by Microsoft.
Microsoft engineers have also stopped issuing certificates that can be used for code signing with the Terminal Services activation and licensing process. The ability of the licensing mechanism to sign untrusted code that linked Microsoft's root authority is a mistake of breathtaking proportions. None of Microsoft's Sunday night blog posts explained why such design was ever allowed to be put in place. A description of the Terminal Services License Server Activation refers to a "limited-use digital certificate that validates server ownership and identity." Based on Microsoft's description of the attack, it would appear the capabilities of these certificates weren't as limited as company engineers had intended.
"This is a pretty big goof," Marsh Ray, a software developer two-factor authentication company PhoneFactor, told Ars. "I don't think anyone realized that this enabled the sub CA that was present on the licensing server to have the full authority of the trusted root CA itself."
Microsoft's mention of an older cryptography algorithm that could be exploited and used to sign code as if it originated from Microsoft evoked memories of an attack from 2008 to mint a rogue certificate authority that could be trusted by all major browsers. The attack in part relied on weaknesses in the MD5 cryptographic hash function that made it susceptible to "collisions," in which two or more different plaintext messages generated the same cryptographic hash. By unleashing 200 PlayStation 3 game consoles to essentially find a collision, the attackers could become a certificate authority that could spawn SSL (secure sockets layer) credentials trusted by major browsers and operating systems.
Based on the language in Microsoft's blog posts, it's impossible to rule out the possibility that at least one of the certificates revoked in the update was also created using MD5 weaknesses. Indeed, two of the underlying credentials used MD5, while the third used the more advanced SHA-1 algorithm. In a Frequently Asked Questions section of Microsoft Security Advisory (2718704), Microsoft's security team also said: "During our investigation, a third Certificate Authority has been found to have issued certificates with weak ciphers." The advisory didn't elaborate.
It's also unclear if those with control of one of the rogue Microsoft certificates could sign Windows software updates. Such a feat would allow attackers with control over a victim network to hijack Microsoft's update mechanism by using the credentials to pass off their malicious wares as official patches. Microsoft representatives didn't respond to an e-mail seeking comment on that possibility. This article will be updated if an answer arrives later.
Two of the rogue certificates were chained to a Microsoft Enforced Licensing Intermediate PCA. A third was chained to a Microsoft Enforced Licensing Registration Authority CA, and ultimately to the company's root authority. In addition to potential exploits from the actors behind Flame, unrelated attackers could also use the certificates to apply Microsoft's signature to malicious pieces of software.
A third Microsoft advisory pointed out that Flame so far has been found only on the machines of highly targeted victims, so the "vast majority of customers are not at risk."
"That said, our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks," Jonathan Ness, of Microsoft's Security Response Center, continued. "Therefore, to help protect both targeted customers and those that may be at risk in the future, we are sharing our discoveries and taking steps to mitigate the risk to customers."
Re: "Flame" malware was signed by rogue Microsoft certificate
June 18 2012, 2:59 AM
A bit more detail about how Flame hijacked the the Windows Update service, really interesting stuff if you are into cryptography...
Crypto breakthrough shows Flame was designed by world-class scientists
The spy malware achieved an attack unlike any cryptographers have seen before.
by Dan Goodin - June 7 2012, 2:20pm EDT
An overview of a chosen-prefix collision - Marc Stevens
The Flame espionage malware that infected computers in Iran achieved mathematic breakthroughs that could only have been accomplished by world-class cryptographers, two of the world's foremost cryptography experts said.
"We have confirmed that Flame uses a yet unknown MD5 chosen-prefix collision attack," Marc Stevens wrote in an e-mail posted to a cryptography discussion group earlier this week. "The collision attack itself is very interesting from a scientific viewpoint, and there are already some practical implications." Benne de Weger, a Stevens colleague and another expert in cryptographic collision attacks who was briefed on the findings, concurred.
"Collision" attacks, in which two different sources of plaintext generate identical cryptographic hashes, have long been theorized. But it wasn't until late 2008 that a team of researchers made one truly practical. By using a bank of 200 PlayStation 3 consoles to find collisions in the MD5 algorithm—and exploiting weaknesses in the way secure sockets layer certificates were issued—they constructed a rogue certificate authority that was trusted by all major browsers and operating systems. Stevens, from the Centrum Wiskunde & Informatica in Amsterdam, and de Weger, of the Technische Universiteit Eindhoven were two of the seven driving forces behind the research that made that 2008 attack possible.
Flame is the first known example of an MD5 collision attack being used maliciously in a real-world environment. It wielded the esoteric technique to digitally sign malicious code with a fraudulent certificate that appeared to originate with Microsoft. By deploying fake servers on networks that hosted machines already infected by Flame—and using the certificates to sign Flame modules—the malware was able to hijack the Windows Update mechanism Microsoft uses to distribute patches to hundreds of millions of customers.
According to Stevens and de Weger, the collision attack performed by Flame has substantial scientific novelty. They arrived at that conclusion after Stevens used a custom-designed forensic tool he developed to detect and analyze hash collisions.
"More interestingly, the results have shown that not our published chosen-prefix collision attack was used, but an entirely new and unknown variant," Stevens wrote in a statement distributed on Thursday. "This has led to our conclusion that the design of Flame is partly based on world-class cryptanalysis. Further research will be conducted to reconstruct the entire chosen-prefix collision attack devised for Flame."
The analysis reinforces theories that researchers from Kaspersky Lab, CrySyS Lab, and Symantec published almost two weeks ago. Namely, Flame could only have been developed with the backing of a wealthy nation-state. Stevens' and de Weger's conclusion means that, in addition to a team of engineers who developed a global malware platform that escaped detection for at least two years, Flame also required world-class cryptographers who have broken new ground in their field.
"It's not a garden-variety collision attack, or just an implementation of previous MD5 collisions papers—which would be difficult enough," Matthew Green, a professor specializing in cryptography in the computer science department at Johns Hopkins University, told Ars. "There were mathematicians doing new science to make Flame work."