Bug 1038894

Summary: nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117)
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nss 3.15.3.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 10:42:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1040282, 1040283, 1040284, 1040285, 1042683, 1042684, 1042685, 1042686, 1042687, 1042688    
Bug Blocks: 1030244, 1038895    

Description Huzaifa S. Sidhpurwala 2013-12-06 04:58:33 UTC 
Google notified Mozilla that an intermediate certificate, which chains up to a root included in Mozilla's root store, was loaded into a man-in-the-middle (MITM) traffic management device. This certificate was issued by Agence nationale de la sécurité des systèmes d'information (ANSSI), an agency of the French government and a certificate authority in Mozilla's root program. A subordinate certificate authority of ANSSI mis-issued an intermediate certificate that they installed on a network monitoring device, which enabled the device to act as a MITM proxy performing traffic management of domain names or IP addresses that the certificate holder did not own or control.

The issue was not specific to Firefox but there was evidence that one of the certificates was used for MITM traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking trust in the intermediate used by the sub-CA to issue the certificate for the MITM device. 

External Reference:

http://www.mozilla.org/security/announce/2013/mfsa2013-117.html


Acknowledgements:

Red Hat would like to thank the Mozilla project for reporting this issue.
Comment 1 Huzaifa S. Sidhpurwala 2013-12-09 09:23:50 UTC 
Other References:

http://www.ssi.gouv.fr/en/the-anssi/events/revocation-of-an-igc-a-branch-808.html
http://googleonlinesecurity.blogspot.in/2013/12/further-improving-digital-certificate.html
Comment 2 Huzaifa S. Sidhpurwala 2013-12-11 06:07:06 UTC 
Created ca-certificates tracking bugs for this issue:

Affects: fedora-all [bug 1040283]
Comment 3 Huzaifa S. Sidhpurwala 2013-12-11 06:07:10 UTC 
Created nss tracking bugs for this issue:

Affects: fedora-all [bug 1040282]
Comment 8 errata-xmlrpc 2013-12-19 23:03:14 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1861 https://rhn.redhat.com/errata/RHSA-2013-1861.html
Comment 9 errata-xmlrpc 2013-12-20 00:53:57 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1866 https://rhn.redhat.com/errata/RHSA-2013-1866.html
Comment 10 Fedora Update System 2013-12-21 02:25:24 UTC 
ca-certificates-2013.1.95-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2013-12-22 05:40:55 UTC 
nss-3.15.3.1-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-12-22 05:42:41 UTC 
ca-certificates-2013.1.95-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-12-31 01:54:27 UTC 
ca-certificates-2013.1.95-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2013-12-31 02:02:05 UTC 
nss-3.15.3.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2014-01-05 12:35:11 UTC 
nss-3.15.3.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.