Issuing Digital Certificate through your MDM may place your organization at RISK

Posted: June 28, 2012 in Vulnerabilities
Tags: , ,

Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests.

IETF Internet-Draft draft-nourse-scep-23 “…defines a protocol, Simple Certificate Enrollment Protocol (SCEP), for certificate management and certificate and CRL queries in a closed environment.” Mobile Device Management (MDM) isdefined as “…software that secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises. MDM functionality typically includes over-the-air distribution of applications, data and configuration settings for all types of mobile devices, including mobile phones, smartphones, tablet computers, ruggedized mobile computers, mobile printers, mobile POS devices, etc.” Multiple MDM software packages use SCEP as a method to handle certificate management and certificate CRL queries within an organization.

When an user or a device requests a certificate, the SCEP implementation may require a challenge password. It may be possible for a user or device to take their legitimately acquired SCEP challenge password and use it to obtain a certificate that represents a different user with a higher level of access such as a network administrator, or to obtain a different type of certificate than what was intended. It is also possible for SCEP implementations or system administrators to not require the challenge password, or to share a static password across many users.

Impact : An attacker could elevate their permissions by requesting a certificate of a different, possibly higher privileged user that would allow them to access resources that they would not otherwise be able to access.

Solution : US-CERT currently unaware of a practical solution to this problem.

Possible Workarounds:

Use Certificate Management Protocol (CMP) or Certificate Management over CMS as a replacement for Simple Certificate Enrollment Protocol (SCEP)
Manually approve for certificates from unknown sources
Avoid reusing challenge passwords
Limit the number of individuals who can request certificates



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s