Bug 890605 (CVE-2013-0743, TURKTRUST)

Summary: CVE-2013-0743 nss: Dis-trust TURKTRUST mis-issued *.google.com certificate
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amarecek, dpal, emaldona, jgalipea, jorton, kengert, ksrot, rrelyea, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
[REJECTED CVE] TURKTRUST, a certificate authority in Mozilla’s root program, had mis-issued two intermediate certificates to customers. One of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website. Additionally, If the private key to one of the mis-issued intermediate certificates was compromised, then an attacker could use it to create SSL certificates containing domain names or IP addresses that the certificate holder does not legitimately own or control. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 16:53:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 890914, 890915, 891149, 891150, 891151, 891761, 891806    
Bug Blocks: 890611    

Description Huzaifa S. Sidhpurwala 2012-12-28 05:31:16 UTC 
TURKTRUST, a certificate authority in Mozilla’s root program, mis-issued two intermediate certificates to customers. TURKTRUST has scanned their certificate database and log files and confirmed that the mistake was made for only two certificates.

External References:

https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/
http://googleonlinesecurity.blogspot.in/2013/01/enhancing-digital-certificate-security.html
http://www.mozilla.org/security/announce/2013/mfsa2013-20.html
Comment 14 Huzaifa S. Sidhpurwala 2013-01-04 04:12:40 UTC 
Created nss tracking bugs for this issue

Affects: fedora-all [bug 891806]
Comment 18 Huzaifa S. Sidhpurwala 2013-01-16 02:23:05 UTC 
Mozilla/MITRE decided to revoke the CVE which was assigned to this issue.

Reference:
https://bugzilla.mozilla.org/show_bug.cgi?id=825022#c67
Comment 20 errata-xmlrpc 2013-01-31 19:14:10 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0214 https://rhn.redhat.com/errata/RHSA-2013-0214.html
Comment 21 errata-xmlrpc 2013-01-31 20:35:04 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0213 https://rhn.redhat.com/errata/RHSA-2013-0213.html