Telia: Misissued certificate - wrong OrganizationName value "Hair 8 Brains"
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: pekka.lahtiharju, Assigned: pekka.lahtiharju)
Details
(Whiteboard: [ca-compliance] [ov-misissuance])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Steps to reproduce:
Telia CA accepted invalid O value
Actual results:
Certificate with slightly wrong O value
Expected results:
Rejected application
|
Assignee | |
Comment 1•2 years ago
|
||
- How your CA first became aware of the problem and the time and date.
Incident was discovered by Telia CA Security Manager on routine daily review of certificate compliance verification via post issuance report at 13th of April 2023 07:06 AM EET (04:06 AM UTC)
Daily post issuance compliance report contained following entries to be verified:
7939630921747593204465097225827878 NEW_LOC se:sundbyberg; hair 8 brains ab se sundbyberg secure.lisamiskovsky.online
7939630921747593204465097225827878 NEW_ORG hair 8 brains ab:sundbyberg; se sundbyberg secure.lisamiskovsky.online
As per internal procedure, Security Manager reported the finding to Telia Certificate Administrators to be confirmed and verified as properly validated organization name and locality data in accordance with section 3.2 of Telia Certificate Policy and Certification Practice Statement for Telia Server Certificates v. 4.9.
- A timeline of the actions your CA took in response
| Time (DD-MM-YYYY) | Action |
|---|---|
| 06.04.2023 18:13 EET (15:13 UTC) | Certificate order was placed in Telia's Certificate Management Portal. |
| 11.04.2023 17:19 EET (14:19 UTC) | Certificate order was processed by Registration Officer after Easter Break (see section 6 for further details) |
| 2023-04-12 09:50 EET (06:50 UTC) | Secondary approval by second Registration Officer done |
| 2023-04-12 09:50 EET (06:50 UTC) | Second approved enrolled the certificate with incorrect organization name |
| 2023-04-13 07:00 EET (04:00 UTC) | New Organization and Locality entries for organization Hair 8 Brains AB were detected by Telia CA Security manager in the daily post issuance report for identity validation data compliance check |
| 2023-04-13 07:06 EET (04:06 UTC) | Identified organization and locality entries were reported to Telia CA Administrators for validation data confirmation and verification by Telia CA Security Manager in internal reporting channel |
| 2023-04-13 16:55 EET (13:55 UTC) | Telia CA Administrator identified incorrect organization name in the certificate |
| 2023-04-13 17:27:51 EET (14:27:51 UTC) | Telia CA Administrator revoked the misissued certificate |
| 2023-04-13 19:00 EET (16:00 UTC) | Telia CA Administrator responsible for confirmation and verification of the said O/L values reported internally via email the reponsible Registration Officer, Telia CA Security Manager and Telia CA Validation Manager of the identified issue with incorrect data in the certificate and that the certificate was revoked after informing certificate subject about the issue. |
| 2023-04-14 07:15 EET (04:15 UTC) | Telia CA Security Manager reviewed the email report from Telia CA Administrator and determined the issue requiring public disclosure as violation of CP/CPS section 3.2, applicable requirements in Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates Version 1.8.7 published by CA/Browser Forum and subsequantially root certificate program policies of root programs and root certificate stores containing Telia Certificate Authority's Root Certificates. |
| 2023-04-14 07:23 EET (04:23 UTC) | Telia CA Security Manager intiated internal incident management process and filed internal bugzilla report to start disclosure process. Initial data was collected by Telia CA Security Manager to the filed bug |
| 2023-04-14 07:29 EET (04:29 UTC) | Telia CA Security Manager informed all relevant internal parties that public disclosure process has been initiated and reported the preliminary information details via email and in internal communication channel. |
| 2023-04-14 08:54 EET (05:54 UTC) | Telia CA Administrator responsible for the incident handling called in supplemental Telia CA Security Board meeting to formally decide upon activities concerning public disclosure |
| 2023-04-14 09:30-10:00 EET (06:30 - 07:00 UTC) | Supplemental Security Board meeting was held and formal decision on public disclosure process was made and recorded. Telia CA Security Manager was designated as responible to oversee the incident reporting process and duly report the incident to Mozilla Bugzilla and other involved parties (root programs) with the help of all Telia PKI Team members relevant for the issue |
| 2023-04-14 10:06 EET (07:06 UTC) | Telia CA Security Manager initated detailed evidence and issue reporting work to be commenced and started preparations for public disclosure report filing. |
| 2023-04-14 10-14 EET (07-11 UTC) | Telia CA Administrators inspected the details of the incident and its reasons |
| 2023-04-14 XX:XX EET (XX:XX UTC) | Mozilla Bug report was filed and all relevant root programs were informed as per their respecitive policy requirements. |
- Whether your CA has stopped, or has not yet stopped, certificate issuance or the process giving rise to the problem or incident.
Telia CA did not stop issuance as this incident only concerned one (1) certificate and no other similar cases were identified by Telia Certificate Administrators in process of handling the incident.
- In a case involving certificates, a summary of the problematic certificates
One (1) certificate was misissued with incorrect organizationName: "Hair 8 Brains AB"
Certificate serial number: 0187743b214bcf6e24aebd75a07626
Certificate Subject information:
CN = secure.lisamiskovsky.online
O = Hair 8 Brains AB
L = SUNDBYBERG
C = SE
Certificate was issued at Apr 12 06:50:44 2023 UTC
Certificate was revoked at Apr 13 14:27:51 2023 UTC
-
In a case involving TLS server certificates, the complete certificate data for the problematic certificates
Complete certificate date of the problematic certificate:
Https://crt.sh/?sha256=9CB015DBD60457745D2330B27A74C59023E2DDD8D5AD306C142CBAC57154E10B
-
Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now
Root cause for the misissuance was three fold:
-
Certificate order was made in Telia CA's single-certificate order portal / form, which allows for Organization name modification after successful verification of organization data from official registers.
a. In this case person placing order manually changed "Hair & Brains AB" to "Hair 8 Brains AB" after verification before submitting the order to Telia CA and this changed value was used in the organization name in the certificate.
-
Certificate Management Portal generated CSR based on the inputted incorrect organization name
-
One RA person misunderstood how Telia CA's Certificate Management Portal functionality is working in relation how incorrect organization name on order should be corrected. In Telia RA process invalid O values should be rejected by Registration Officer instead of trying to fix them.
a. Registration officer identified in the Certificate Management Portal that organization name was incorrect (portal reported invalid value for organization based on validation data from Telia CA's validated and trusted registry service DNB / Bisnode)
b. Registration officer executed revalidation of organization name from public register
c. After revalidation Registration Officer tried to change the organization name in the RA user interface (this isn't possible)- Certificate management portal did not recreate CSR at this stage prior certificate enrolment and used CSR generated in the order submission phase (see above).
d. Registration officer made 1. level approval of the order and submitted it for for secondary approval - Validation process in RA requires dual verification of the validation data by second Registration officer.
e. Secondary approver double checked the validation data available in the portal user interface with corrected organization name
f. Secondary approved approved the order and issued the certificate.
- Certificate management portal did not recreate CSR at this stage prior certificate enrolment and used CSR generated in the order submission phase (see above).
Above led to the issued certificate to contain incorrect organization name "Hair 8 Brains Ab" because fix in step 3c was valid only for reject function and enrolment still used the original value from Customer via CSR.
Excerpt of the order data:
CUSTOMER INFORMATION:
Company Name: Hair 8 Brains AB
Business Identity Code: 5591684815
NOTE not disclosing individual identities of Registration Officers
| Time | Event | Notes |
|---|---|---|
| 2023-04-11 17:19:01 EET | INFO SERVERCERT_ORDER | Order grqbMqpXtIYSKIoIRMjGNFR8MCFKSsaQmgqwh2y9s field payer changed: "Hair 8 Brains AB" -> "Hair & Brains AB" by |
| 2023-04-11 17:19:01 EET | INFO SERVERCERT_ORDER | Order grqbMqpXtIYSKIoIRMjGNFR8MCFKSsaQmgqwh2y9s field companyname changed: "Hair 8 Brains AB" -> "Hair & Brains AB" by |
| 2023-04-11 17:19:01 EET | INFO SERVERCERT_ORDER | Order grqbMqpXtIYSKIoIRMjGNFR8MCFKSsaQmgqwh2y9s field businessidentitycode changed: "5591684815" -> "SEORGNO:5591684815" |
| 2023-04-11 17:19:20 EET | INFO APPROVE_SSL_VALUE | SEORGNO:5591684815 secure_lisamiskovsky_online-grqbmqpxti caorganization (Hair & Brains AB) allabolag.se Hair & Brains AB<br/> Org.nr: 559168-4815 |
| 2023-04-11 17:19:20 EET | INFO DATABLOCK_APPROVED | CaOrganization=Hair & Brains AB,,cn=Hair___Brains_AB.7424,Subscriber=SEORGNO:5591684815, Registry=allabolag.se,Appr.Time=2023-04-11 17:19:20,Comment=Hair & Brains AB<br/> Org.nr: 559168-4815 |
| 2023-04-12 09:50:50 EET | INFO SERVER_CERTIFICATE_ENROLL | 83A53B1D7BEFC28D3CC1F72742222754 serialnumber=000187743B214BCF6E24AEBD75A07626; md5==0acd1b9c84ac9e6020109a07e4853 |
| 2023-04-12 09:50:50 EET | INFO SERVER_CERTIFICATE_ENROLL | 83A53B1D7BEFC28D3CC1F72742222754 md5=0acd1b9c84ac9e6020109a07e4853086 cn=secure.lisamiskovsky.online org=Hair 8<br/> Brains AB cert subject=cn=secure.lisamiskovsky.online,o=Hair 8 Brains AB,l=SUNDBYBERG,c=SE jurisdiction=Telia Server C<br/> A v3 validto=31536000 serial=000187743B214BCF6E24AEBD75A07626 |
| 2023-04-12 09:50:50 EET | INFO SERVERCERT_ORDER | 83A53B1D7BEFC28D3CC1F72742222754 Order grqbMqpXtIYSKIoIRMjGNFR8MCFKSsaQmgqwh2y9s status changed from pending to approved by |
| 2023-04-12 09:50:50 EET | INFO SERVERCERT_ORDER | 83A53B1D7BEFC28D3CC1F72742222754 Order grqbMqpXtIYSKIoIRMjGNFR8MCFKSsaQmgqwh2y9s saved by |
-
List of steps your CA is taking to resolve the situation and ensure that such a situation or incident will not be repeated in the future
Action Status To be completed Immediate RA re-training to prevent short-term issues to recur PENDING 21.04.2023 Telia CA shall completely prevent Registration Officer's capability to change subject data in the validation phase in the portal PENDING 15.05.2023 Telia CA shall be reporting the progress gradually and in timely manner to this bug as long as the last action point is verfified completed
| Comment hidden (obsolete) |
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Comment 3•2 years ago
|
||
This is to confirm that immediate RA trainings have been completed by 20.04.2023 to complete the first action of the remediation actions identified for this issue.
|
|
||
Comment 4•2 years ago
|
||
This is to confirm that following actions to remedy the reported issue have been completed and from our point of view with the remedial actions implemented we consider this incident and root cause resolved as planned.
Immediate RA re-training to prevent short-term issues to recur RESOLVED / COMPLETED 21.04.2023
Telia CA shall completely prevent Registration Officer's capability to change subject data
in the validation phase in the portal RESOLVED / COMPLETED 16.05.2023
|
|
||
Comment 5•2 years ago
|
||
Kindly requesting this incident to be closed, we've completed the activities planned and we've been following up on this incident for comments. As there hasn't been any additional request, reviews or comments on this, we conclude that this incident could be closed.
|
||
Comment 6•2 years ago
|
||
I'll close this on or about Friday, 30-June-2023, unless there are issues to discuss.
|
|
||
Updated•2 years ago
|
Description
•