SUMMARY
Websense Content Gateway proxy explicitly trusts compromised certificate
authorities
Affected versions: Content Gateway 7.8.x
Not affected: Content Gateway 7.7.x, 8.0
DESCRIPTION
Websense Content Gateway is a filtering web proxy and content inspection
application based on a modified Inktomi/Apache Traffic Server. To
enable inspection and filtering of encrypted traffic, the application
uses an internal certificate authority and decrypts and re-encrypts
traffic passing through the device. Content Gateway maintains its own
list of trusted certificate authorities, since all HTTPS traffic
accessed via Content Gateway will appear to be signed by the Content
Gateway CA.
Websense updates the list of trusted certificate authorities with each
new major version (7.7.0, 7.8.0, etc.). It appears new trusted
certificates were imported from the Mozilla/NSS CA store for 7.8.0, but
the "deny trust" flag was set incorrectly. Therefore, the status of
compromised certificates (DigiNotar, UTN-USERFirst-Hardware, Digisign
(Enrich)) was imported as "explicitly trusted" instead of "untrusted".
RISK
An attacker with access to these compromised certificates could mount a
phishing or MITM attack against clients behind a Content Gateway without
raising suspicions.
RESOLUTION
Websense will not release a patch for this issue. Users of affected
systems can upgrade to 8.0, manually delete the compromised trusted
certificate authorities, or change the status to "Deny". I have
provided steps below which update the status in bulk from the OS shell
(non-appliance).
FIX
You should review and test these steps first, and evaluate if any other
trusted certificates should be updated or removed. These steps are not
supported by Websense, and there is no warranty.
From the shell, execute the following commands. This script will
change the "status" column to 1 (deny) for the certificate authorities
with the listed hashes. Content Gateway must be stopped, or your
changes will be overwritten.
sudo service WCG stop
sudo /usr/bin/sqlite3 /opt/WCG/config/new_scip3.db
Paste the following script:
UPDATE cert_issuer
SET status = 0
WHERE issuer_hash IN (
'20533f91_0FFFFFFF',
'46f053f0_0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF',
'84009bc3_0FFFFFFF',
'856583ec_0FFFFFFF',
'aee5f10d_07FFFFFFFFFF',
'b13cc6df_047ECBE9FCA55F7BD09EAE36E10CAE1E',
'b13cc6df_392A434F0E07DF1F8AA305DE34E0C229',
'b13cc6df_3E75CED46B693021218830AE86A82A71',
'b13cc6df_72032105C50C08573D8EA5304EFEE8B0',
'b13cc6df_9239D5348F40D1695A745470E1F23F43',
'b13cc6df_B0B7133ED096F9B56FAE91C874BD3AC0',
'b13cc6df_D7558FDAF5F1105BB213282B707729A3',
'b13cc6df_D8F35F4EB7872B2DAB0692E315382FB0',
'b13cc6df_E9028B9578E415DC1A710A2B88154447',
'b13cc6df_F5C86AF36162F13A64F54F6DC9587C06',
'c692a373_07FFFFFFFFFF',
'cc154c6e_0FFFFFFF',
'cee8e824_0FFFFFFF'
);
.quit
sudo service WCG start
TIMELINE
10/10/2014: Opened case with Websense support
10/30/2014: Websense support claims product does not include compromised
certificates, and that I added them. I disagree, and verify that a
clean install of the product does include them.
11/11/2014: Informed by support that Websense will review the
certificates for the next release, but will not issue a patch for
existing systems.
11/19/2014: Attempt to escalate issue via sales instead of support
11/20/2014: Sales says they're checking with product management about a
patch
1/20/2015: Asked for update on patch
1/21/2015: Informed 8.0 product will include a fix
2/3/2015: Triton 8.0 product released; compromised certificates are no
longer included at all
Thanks to Websense Product Security for correcting an error in the SQL
script above.
