Comodo/cPanel: Potential Mis-Issuance based on CAA records (Sep 28, 2017)

RESOLVED INVALID

Status

RESOLVED INVALID
a year ago
a year ago

People

(Reporter: quirin, Assigned: Rob.Stradling, Mentored)

Tracking

trunk

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ca-compliance])

Attachments

(1 attachment)

1.23 KB, application/x-x509-ca-cert
Details
(Reporter)

Description

a year ago
As per Gerv's request, I am filing individual bugs for [1] -- please confer to [1] for a full background.

In the 2 cases below Comodo/cPanel seems to not have validated CAA records - please find our record of CAA data for that domain below. 

Please note that this is well past the initial issues that Comodo faced up to Sep 12, 2017 (see Bug 1398545).

[1] https://groups.google.com/d/topic/mozilla.dev.security.policy/QpSVjzrj7T4/discussion
[2] Batch: https://misissued.com/batch/33/

======= Certificate 17 - Group 4 =======
https://crt.sh/?id=255113449
           X509v3 Subject Alternative Name:
               DNS:*.bankvrn.ru
               DNS:bankvrn.ru
        Issuer: Comodo
DNS history(Issued Sep 28)
2017-09-27:bankvrn.ru. 3600    IN      CAA     0 issue "geotrust.com"
2017-09-27:bankvrn.ru. 3600    IN      CAA     0 issue "letsencrypt.org"
2017-09-27:bankvrn.ru. 3600    IN      CAA     0 issue "thawte.com"
2017-09-27:bankvrn.ru. 3600    IN      CAA     0 issue "wosign.com"
2017-09-27:bankvrn.ru. 3600    IN      CAA     0 issuewild “;"
2017-09-28:bankvrn.ru. 3600    IN      CAA     0 issue "letsencrypt.org"
2017-09-28:bankvrn.ru. 3600    IN      CAA     0 issue "wosign.com"
2017-09-28:bankvrn.ru. 3600    IN      CAA     0 issue "thawte.com"
2017-09-28:bankvrn.ru. 3600    IN      CAA     0 issue “geotrust.com"
2017-09-28:bankvrn.ru. 3600    IN      CAA     0 issuewild ";"
2017-09-29:bankvrn.ru. 3600    IN      CAA     0 issue "thawte.com"
2017-09-29:bankvrn.ru. 3600    IN      CAA     0 issue "letsencrypt.org"
2017-09-29:bankvrn.ru. 3600    IN      CAA     0 issue "geotrust.com"
2017-09-29:bankvrn.ru. 3600    IN      CAA     0 issue "wosign.com"
2017-09-29:bankvrn.ru. 3600    IN      CAA     0 issuewild ";" 


======== Certificate 18 - Group 4 =======
https://crt.sh/?id=252132456
           X509v3 Subject Alternative Name:
               DNS:mc21colombia.com
               DNS:www.mc21colombia.com
        Issuer: cPanel (-> Comodo)
DNS history (Issued Oct 17):
2017-10-14:mc21colombia.com.   3600    IN      CAA     0 issuewild "digicert.com"
2017-10-15:mc21colombia.com.   3600    IN      CAA     0 issuewild "digicert.com"
2017-10-17:mc21colombia.com.   3600    IN      CAA     0 issuewild "digicert.com"
2017-10-18:mc21colombia.com.   300     IN      CAA     0 issuewild "digicert.com"
2017-10-18:mc21colombia.com.   300     IN      CAA     0 issue "digicert.com"
2017-10-19:mc21colombia.com.   300     IN      CAA     0 issue "digicert.com"
2017-10-19:mc21colombia.com.   300     IN      CAA     0 issuewild "digicert.com"
2017-10-20:mc21colombia.com.   300     IN      CAA     0 issue "digicert.com"
2017-10-20:mc21colombia.com.   300     IN      CAA     0 issuewild "digicert.com"
2017-10-21:mc21colombia.com.   300     IN      CAA     0 issuewild "digicert.com"
2017-10-21:mc21colombia.com.   300     IN      CAA     0 issue "digicert.com"
2017-10-22:mc21colombia.com.   300     IN      CAA     0 issuewild "digicert.com"
2017-10-22:mc21colombia.com.   300     IN      CAA     0 issue “digicert.com"
Over to Comod rep.

Gerv
Assignee: kwilson → rob

Comment 2

a year ago
Just to add to this, I have also had a misissuance today involving cPanel/Comodo.

Issued to web-seo.prod.ext.cuvva.co

Serial number: 00 D9 E5 BC 34 B0 89 A1 F5 A3 73 83 B1 93 E5 14 7F
SHA1 hash: 78 45 20 2B 7F E2 F8 DE 11 40 93 62 4C E9 A8 D9 98 81 2E 50

Unfortunately doesn't seem to be in the CT logs, so can't link the crt.sh page.

cuvva.co CAA record set to:

cuvva.co.		21599	IN	CAA	0 iodef "mailto:security@cuvva.com"
cuvva.co.		21599	IN	CAA	0 issue "amazon.com"
cuvva.co.		21599	IN	CAA	0 issuewild "amazon.com"

No CAA records on web-seo.prod.ext.cuvva.co, prod.ext.cuvva.co or ext.cuvva.co.

No email received in relation to the misissuance.

Comment 3

a year ago
Created attachment 8932596 [details]
Example mis-issued certificate

Comment 4

a year ago
(In reply to james from comment #2)
> Just to add to this, I have also had a misissuance today involving
> 
> Unfortunately doesn't seem to be in the CT logs, so can't link the crt.sh
> page.

I submitted it to a few CT logs: https://crt.sh/?id=266205228

Comment 5

a year ago
Much appreciated

Added here also: https://misissued.com/batch/34/

Comment 6

a year ago
And this is the intermediate: https://crt.sh/?id=12715889
(Reporter)

Comment 7

a year ago
Just to confirm as a third party, we have observed 
the above-mentioned CAA set (issue and issuewild amazon.com) 
for cuvva.co since Nov 10 on all its name servers. 

Precise timestamps (excluding before 11-26):
2017-11-26 10:32 UTC
2017-11-26 18:32 UTC
2017-11-27 02:33 UTC
2017-11-27 10:34 UTC
2017-11-27 18:33 UTC
2017-11-28 02:33 UTC
2017-11-28 10:33 UTC
2017-11-28 18:33 UTC

We don't have data for the subdomains.

Updated

a year ago
Whiteboard: [ca-compliance]
(Assignee)

Comment 8

a year ago
For Certificate 18 (https://crt.sh/?id=252132456), we performed a CAA query for mc21colombia.com at 2017-10-18 13:59:21 UTC and received this response:

  ;; opcode: QUERY, status: NOERROR
  ;; flags: qr rd ra;

  ;; QUESTION SECTION:
  ;mc21colombia.com.	IN	 CAA

  ;; ANSWER SECTION:
  mc21colombia.com.	IN	CAA	0 issuewild "digicert.com"

  ;; ADDITIONAL SECTION:

  ;; OPT PSEUDOSECTION:
  ; EDNS: version 0; flags: do; udp: 4096

Since there was no "issue" property in this CAA response, we consider this report to be a false positive.
Quirin: actually, that's the same as what you saw. Why did you file a report on cert 18 when, in fact, the CAA records on the date of issuance were entirely consistent with Comodo issuing a cert?

Gerv
(Assignee)

Comment 10

a year ago
Gerv,

Quirin saw:
2017-10-18:mc21colombia.com.   300     IN      CAA     0 issuewild "digicert.com"
2017-10-18:mc21colombia.com.   300     IN      CAA     0 issue "digicert.com"

If we'd seen that, it would have counted as a misissuance.  (But we didn't, so it wasn't).
The notes above say that the cert was issued on the 17th, when he saw:

2017-10-17:mc21colombia.com.   3600    IN      CAA     0 issuewild "digicert.com"

Gerv

Comment 12

a year ago
If it was issued on the 17th, why are the first entries into the CT logs on the 11th?
(Assignee)

Comment 13

a year ago
Gerv,
The TBSCertificate for https://crt.sh/?id=252132456 was generated at precisely 14:59:24 UTC on the 18th October, according to our logs.  Quirin's note (alleging issuance on the 17th October) is incorrect.

James,
There are no entries in any CT logs until the 11th November simply because nobody logged this certificate until then.
(Reporter)

Comment 14

a year ago
Hi,

thank you for the discussion. 

Per Gerv's question, I mistyped the "DNS history (Issued Oct 17):" string. It should have said Oct 18, on which, as per Rob's comment, we saw the below records which would not have permitted Comodo to issue non-wild.
> 2017-10-18:mc21colombia.com.   300     IN      CAA     0 issuewild "digicert.com"
> 2017-10-18:mc21colombia.com.   300     IN      CAA     0 issue "digicert.com"

However, our scan occurred past their issuance timestamp. 
I am happy to accept Rob's evidence to label this a false positive.

This was a very close call on whether to report it or not, as the restrictive record was not set for several days before the issuance time. 
In hindsight, this should not have been reported as it had a high false positive chance. My apologies.

As to James's question: The certificate was created on *Oct* 18, but logged on *Nov* 11.
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → INVALID
(Assignee)

Comment 15

a year ago
For Certificate 17 (https://crt.sh/?id=255113449):

I'm afraid we've only retained full logs of all our CAA checks back to October 12th 06:08:51 UTC, so unfortunately I'm unable to comment on what CAA response(s) we relied on to issue this certificate.

However, this is the most recent certificate we've issued to this domain (https://crt.sh/?q=%25bankvrn.ru shows them all), and a live CAA lookup just now (see below) shows that Comodo are currently authorized to issue.  Would it be unreasonable to speculate that the domain owner configured this most recent CAA record set in advance of requesting this most recent certificate?


> dig CAA +dnssec bankvrn.ru

; <<>> DiG 9.11.1-P3 <<>> CAA +dnssec bankvrn.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56731
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bankvrn.ru.                    IN      CAA

;; ANSWER SECTION:
bankvrn.ru.             3593    IN      CAA     0 issue "letsencrypt.org"
bankvrn.ru.             3593    IN      CAA     0 issuewild "comodoca.com"
bankvrn.ru.             3593    IN      CAA     0 issue "comodoca.com"
bankvrn.ru.             3593    IN      RRSIG   CAA 8 2 3600 20171227010801 20171129010801 11331 bankvrn.ru. M5BFYMT08T0qt5LYKP4SeVwUIENt2byGH3lxg5PCrl1eb98W6SeUsZ3N DNDWKo0miRc/Qp/LLEzg9t6irdvIdJ2agVC8cachJUF+ANVybOpFmtkE 1Tq9biZeRLlviNRKI3Woglh0k9CUS4Xiy9kdAkCth4YsQgl9gYznfqu2 yRg=

;; Query time: 0 msec
;; SERVER: 192.168.0.203#53(192.168.0.203)
;; WHEN: Fri Dec 01 14:46:19 GMT 2017
;; MSG SIZE  rcvd: 309

Comment 16

a year ago
Hang on, this should still be kept open - the issue highlighted on the cuvva.co domain was first hand. I saw it happen in person.
(Assignee)

Comment 17

a year ago
(In reply to james from comment #2)
> Just to add to this, I have also had a misissuance today involving
> cPanel/Comodo.
> 
> Issued to web-seo.prod.ext.cuvva.co
<snip>

James, thanks for reporting this.  I've looked at our logs for this certificate and discovered a new bug, which I think would be best tracked in a new Bugzilla issue.  Feel free to file one if you want.  If not, I'll file one later.
(Reporter)

Comment 18

a year ago
(In reply to Rob Stradling from comment #15)
> For Certificate 17 (https://crt.sh/?id=255113449):
> 
> I'm afraid we've only retained full logs of all our CAA checks back to
> October 12th 06:08:51 UTC, so unfortunately I'm unable to comment on what
> CAA response(s) we relied on to issue this certificate.
> 
> However, this is the most recent certificate we've issued to this domain
> (https://crt.sh/?q=%25bankvrn.ru shows them all), and a live CAA lookup just
> now (see below) shows that Comodo are currently authorized to issue.  Would
> it be unreasonable to speculate that the domain owner configured this most
> recent CAA record set in advance of requesting this most recent certificate?
> 

Hi, 

the purpose of this exercise was mainly to help in finding and fixing potential flaws in CAA validation using these examples.
If you are confident that the above configuration would not have caused such an anomaly, I don't see much of a point in chasing down this specific example. 

I would close this as "can't tell", then.

Kind regards
Quirin

--
As a record of data, and to possibly learn for the future, 
we did see the Comodo-excluding issue set stable from Sep 15 through Oct 4. 
Starting on 2017-10-05 08:41:55, we did see the change to the now persisting issue set including Comodo. 

If we look at SOA Serial changes for the zone, we see no change on Sep 28:

(before)            -- 2017092001
2017-09-27 00:30:02 -- 2017092701
2017-10-04 00:41:11 -- 2017100401
2017-10-05 08:41:50 -- 2017100501

So, there is no zone update signaled on Sep 28, but the zone usually updates their serials when changing the zone files. 
However, the zone may have changed without a serial update, or you may have received a different reply as part of a split-horizon setup.
(Assignee)

Comment 19

a year ago
(In reply to Rob Stradling from comment #17)
> (In reply to james from comment #2)
> > Just to add to this, I have also had a misissuance today involving
> > cPanel/Comodo.
> > 
> > Issued to web-seo.prod.ext.cuvva.co
> <snip>
> 
> James, thanks for reporting this.  I've looked at our logs for this
> certificate and discovered a new bug, which I think would be best tracked in
> a new Bugzilla issue.  Feel free to file one if you want.  If not, I'll file
> one later.

James,

I've just posted an incident report for this misissuance to bug #1423624.
You need to log in before you can comment on or make changes to this bug.