Some Bitdefender products break HTTPS certificate revocation

This allows man-in-the-middle attackers with access to revoked, but otherwise valid, certificates to manipulate encrypted traffic

Aggressive adware applications that break the trust between HTTPS (HTTP Secure) websites and users have been at the center of controversy lately. But over the past week, HTTPS interception flaws of varying severity were also found in security programs, with products from antivirus vendor Bitdefender being the latest example.

Carsten Eiram, the chief research officer of vulnerability intelligence firm Risk Based Security, found that the latest versions of several Bitdefender products, namely Bitdefender Antivirus Plus, Bitdefender Internet Security and Bitdefender Total Security, do not check the revocation status of SSL certificates before replacing them with new ones that are signed using a root certificate installed locally. The products use this technique in order to scan encrypted HTTPS traffic for potential threats.

While the certificate revocation oversight in Bitdefender products is not as serious as the HTTPS interception flaws found recently in other programs, like the Superfish adware preloaded on Lenovo laptops, its impact is not negligible, Eiram said.

If a website's certificate has been revoked by a certificate authority -- for example, because it was issued fraudulently or because its private key was compromised by hackers -- affected Bitdefender products will still accept it as valid. More importantly, as part of their HTTPS scanning feature, they will convert the revoked certificate into a certificate that local browsers will trust, despite the fact that under normal circumstances those browsers would reject the original certificate.

Eiram discovered the issue earlier this week while performing quick tests of the HTTPS scanning implementations in a few widely used security products, following an inquiry from the IDG News Service about possible Superfish-like flaws in other applications. IDG News Service helped report the issue to Bitdefender and the company developed a fix that will be included in a larger scheduled update next week.

The decision to report the flaw publicly ahead of a patch release was taken because the issue is very easy to find and because Bitdefender considers its impact to be low.

HTTPS scanning issues are something that a lot of people are focusing on, Eiram said. "Someone is bound to download and check certificate validation in various security products including Bitdefender. It's just a matter of downloading the product and then visiting a site with a revoked certificate to see the unsafe behavior."

One such site is https://revoked.grc.com. It has been set up by Gibson Research so that users can test whether their browsers and other software fail to check the revocation status of SSL certificates. If the site is loaded without a browser warning then certificate revocation is not properly verified.

"As the attack vector is quite small and difficult for an attacker to target, we did not consider it as a high priority update," said Alexandru Catalin Cosoi, Bitdefender's chief security strategist and global communications director, in an emailed statement. "We will scan the [HTTPS] traffic anyway for malicious payloads, which still renders our customers safe."

Disabling the HTTPS scanning feature in Bitdefender products is "definitely not an option," Cosoi said. Aside from this functionality being needed to detect potential malware served from HTTPS websites, it's also used for parental control, identity protection and several other features, he said.

Eiram believes that while not critical, the issue is more serious than Bitdefender estimates. However, he praised the company for its fast response. A one to two week turnaround from a vendor is usually very quick and a solid response time, said the researcher, who's a member of the CVE Editorial Board.

The Bitdefender products generate separate self-signed root certificates for every system they're installed on, so they don't have the same flaw as Superfish or the other programs that were found to be using the poorly designed Komodia HTTPS interception library.

The company's products also check that certificates presented by websites are not expired, are for the correct domain and are issued by a trusted certificate authority, unlike PrivDog, a program that was recently found to intercept HTTPS traffic in an insecure manner.

In order to exploit the certificate revocation oversight in Bitdefender products attackers would need to have a legitimate certificate for a website that has been revoked, as well as its corresponding private key. They would also need to be in a position to intercept connections between affected users and that website.

This can be done through DNS hijacking, compromising routers, ARP spoofing, impersonating Wi-Fi access points -- known as evil twin attacks -- and other techniques. Depending on where the attack is executed it could affect a small number of users -- for example those on a local area network -- or a large population, if done higher up in the Internet infrastructure by someone like the NSA or a country's government.

It would be considerably harder than targeting users of PrivDog, Superfish or Komodia-based products, but far from impossible.

First of all, attackers injecting data into HTTPS traffic, like the malicious payloads mentioned by Bitdefender, is not the only threat, Eiram said. Extracting sensitive information from it, including authentication tokens that would allow attackers to take over accounts, would also be possible.

The compromise of certificate private keys is not uncommon. In 2011, the Electronic Frontier Foundation found 73,345 cases where certificates were revoked because their private keys had been compromised. In addition, the Heartbleed flaw discovered in OpenSSL last year allowed attackers to extract sensitive data from HTTPS servers, including SSL private keys.

Security blunders or compromises at certificate authorities can also result in fraudulent certificates being issued. In 2011, hackers issued nine fraudulent SSL certificates for domain names owned by Google, Yahoo, Skype, Mozilla and Microsoft after compromising a Comodo-affiliated certificate registration authority.

That same year a Dutch certificate authority called DigiNotar was hacked and the attacker walked away with over 500 fraudulent certificates for various domain names. One of those certificates was later used in a mass surveillance attack against Gmail users in Iran.

Other similar incidents have happened since then, and certificate revocation played an important role in protecting users every time. Without it attackers can abuse fraudulent certificates for years, until their expiration date.

Cosoi argued that security products have a legitimate need to inspect HTTPS traffic and that, unlike adware programs, they do this to provide protection, not to profit. The practice of using a locally installed self-signed root certificate is a workaround that security products should be allowed to use, he said.

Eiram agreed, saying that the inability to inspect HTTPS traffic would be a significant limitation for such a product.

"It would be too simple for attackers to get around the Web browsing protection features by just getting users to visit malicious sites using HTTPS," he said. "However, it's important that security products implement proper certificate checks to ensure presented certificates are valid."

Join the CSO newsletter!

Error: Please check your email address.

Tags PrivDogonline safetysecurityRisk Based SecurityencryptionLenovoExploits / vulnerabilitiesbitdefender

More about ComodoElectronic Frontier FoundationGibson ResearchGoogleIDGLenovoMicrosoftMozillaNewsNSASkypeYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place