Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Privacy The Internet

Cisco Subdomain Private Key Found in Embedded Executable (google.com) 53

Earlier this month, a developer accidentally discovered the private key of a Cisco subdomain. An anonymous reader shares the post: Last weekend, in an attempt to get Sky's NOW TV video player (for Mac) to work on my machine, I noticed that one of the Cisco executables contains a private key that is associated with the public key in a trusted certificate for a cisco.com sub domain. This certificate is used in a local WebSocket server, presumably to allow secure Sky/NOW TV origins to communicate with the video player on the users' local machines. I read the Baseline Requirements document (version 1.4.5, section 4.9.1.1), but I wasn't entirely sure whether this is considered a key compromise. I asked Hanno Bock on Twitter, and he advised me to post the matter to this mailing list. The executable containing the private key is named 'CiscoVideoGuardMonitor', and is shipped as part of the NOW TV video player. In case you are interested, the installer can be found here (SHA-256: 56feeef4c3d141562900f9f0339b120d4db07ae2777cc73a31e3b830022241e6). I would recommend to run this installer in a virtual machine, because it drops files all over the place, and installs a few launch items (agents/daemons). The executable 'CiscoVideoGuardMonitor' can be found at '$HOME/Library/Cisco/VideoGuardPlayer/VideoGuardMonitor/ VideoGuardMonitor.bundle/Contents/MacOS/CiscoVideoGuardMonitor'. Certificate details: Serial number: 66170CE2EC8B7D88B4E2EB732E738FE3A67CF672, DNS names: drmlocal.cisco.com, Issued by: HydrantID SSL ICA G2. The issuer HydrantID has since communicated with the certificate holder Cisco, and the certificate has been revoked.
This discussion has been archived. No new comments can be posted.

Cisco Subdomain Private Key Found in Embedded Executable

Comments Filter:
  • by charlie merritt ( 4684639 ) on Tuesday June 20, 2017 @10:45AM (#54654375)
    Why don't they study this just a bit?
    • Key management, motherfucker, do you speak it? Say 'embedded private key' again. Say 'embedded private key' again, I dare you, I double dare you motherfucker, say embedded private key one more Goddamn time!
  • by __aaclcg7560 ( 824291 ) on Tuesday June 20, 2017 @10:49AM (#54654391)

    "Which one is the public key and the private key? Oh, screw it. I'll include both."

    • This domain resolves to 127.0.0.1 and was likely a use-case where a self-signed key would have done just as well is my guess, i.e. nothing to see here.

      • by XanC ( 644172 )

        I agree about nothing to see here in that the "vulnerability" is minimal.

        But a self-signed certificate wouldn't have worked. The browser would complain and/or refuse to connect.

        • Not if you add the cert to your PC's certificate store as a root certificate. This works fine if you have control over all PCs that will be using the site.
          • by XanC ( 644172 )

            Hardly improves security, though, does it?

          • by Strider- ( 39683 )

            Not if you add the cert to your PC's certificate store as a root certificate. This works fine if you have control over all PCs that will be using the site.

            You or I know how to do this. The average person on the street? not so much.

      • by jaymemaurice ( 2024752 ) on Tuesday June 20, 2017 @11:17AM (#54654565)

        Uhhh sorry but you are wrong about this being a "nothing to see here". You can use this private key to run a "trusted https site" on local host that is capable of stealing cookies set for cisco.com. If you can man in the middle http traffic and DNS you can redirect the http traffic to this "site" on another system which includes content from cisco.com and steals cookies or does cross site scripting. Does Cisco have cloud services? Where are the session authentication cookies set and what other parameters invalidate them that can't be spoofed using data obtained by the web browser in the initial request...

  • If they want an HTTPS website to be able to access a local service I've installed via WebSocket, then what other option is there?

    Also, this only theoretically allows an attacker to steal cookies if they're based off the company's root domain. Doesn't seem so bad.

    • If they want an HTTPS website to be able to access a local service I've installed via WebSocket, then what other option is there?

      Have the local HTTPS server generate its own private key and then send a certificate signing request (CSR) with the public key and hostname to a certificate authority (CA).

      But this in turn raises two questions: which CA, and which hostname? Let's Encrypt is limited to 20 certificates per registrable domain per week, and if all devices are on the same domain, it'll hit that rate limit fairly quickly. Is every end user supposed to pay for his own domain and pay to keep it renewed? Or is the manufacturer suppo

      • by XanC ( 644172 )

        But the local HTTPS server only listens on localhost. It doesn't *need* to be secure at all, really. The only reason it needs HTTPS at all is because the browser will scream bloody murder if you try to make a WebSocket connection to a non-HTTPS WebSocket server (even if it's running on the local machine) when viewing an HTTPS site.

        So in addition to all the problems you raised with getting a unique certificate for each, there's the additional problem of the HTTPS server not being reachable from the outside

        • there's the additional problem of the HTTPS server not being reachable from the outside at all.

          ACME as implemented by Let's Encrypt supports a cleartext HTTP challenge and a DNS challenge. A user obtaining a certificate can use either of these to prove domain control. Only the cleartext HTTP challenge requires the server to be "reachable from the outside". The DNS challenge requires that the device requesting the certificate have control over TXT records associated with the requested hostname, which is true of any dynamic DNS implementation.

          • "The DNS challenge requires that the device requesting the certificate have control over TXT records associated with the requested hostname, which is true of any dynamic DNS implementation."

            Are you saying devices in the world have access to send dynamic DNS updates for a domain, of which they have a record pointing to an address that reaches the device?

            I don't know that many people who habe domains just for their own devices at home ...

            Sure, it's technically possible, but it's also possible for the user to

            • I don't know that many people who habe domains just for their own devices at home ...

              The manufacturer of such a device is expected to follow the following steps:

              1. Register a domain for devices to use.
              2. Submit this domain to Mozilla's Public Suffix List so that cookies and certificates from one device don't leak to others.
              3. Issue a subdomain of this domain to each device.
              4. Operate a dynamic DNS service so that devices can set their AAAA and TXT records.

              The cost of steps 1 and 4 would be rolled into the price of each device.

              Sure, it's technically possible, but it's also possible for the user to operate their own CA

              It may not be possible for the user to configure a particular dev

      • Let's Encrypt will raise the limitation if you ask nicely. https://docs.google.com/forms/... [google.com]
    • by mysidia ( 191772 )

      Generate a locally-significant self-signed certificate and install it into the Trusted Certificate storage.

You are in a maze of little twisting passages, all different.

Working...