Описание
An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.
A flaw was found in the Automated Certificate Management Environment (ACME) and Simple Certificate Enrollment Protocol (SCEP) provisioner features of Step CA (github.com/smallstep/certificates). This vulnerability allows an authorization bypass vulnerability in Step CA’s ACME and SCEP provisioners where certain authentication tokens are not properly rejected. This allows a remote, unauthenticated attacker to bypass protocol authorization checks and obtain certificates, leading to unauthorized certificate issuance.
Отчет
No Red Hat products are impacted, because the affected component (Step CA) is not used or provided by any products. This vulnerability was marked as a Critical vulnerability because it allows a remote, unauthenticated attacker to bypass core authorization mechanisms of a Certificate Authority and directly issue trusted certificates, fundamentally breaking the CA trust boundary. While the flaw does not lead to arbitrary code execution on the Step CA host, compromising a CA’s issuance process is equivalent to a system-level security failure, as attackers can mint certificates for unauthorized identities and use them for large-scale impersonation, man-in-the-middle attacks, and interception of encrypted traffic across systems beyond the CA itself. The attack requires no privileges, no user interaction, and low complexity, and its effects propagate outside the vulnerable system due to the implicit trust placed in issued certificates, resulting in a scope change and high confidentiality and integrity impact. This ability to undermine PKI trust at scale elevates the flaw beyond an Important issue and justifies a Critical severity classification from a technical risk standpoint.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability. But the exposure can be minimized by restricting or blocking access to the /sign endpoint through network controls or reverse proxies.
Ссылки на источники
Дополнительная информация
Статус:
10 Critical
CVSS3
Связанные уязвимости
An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.
Step CA Has Authorization Bypass in ACME and SCEP Provisioners
10 Critical
CVSS3