Dear Venafi customer,
The Flame malware, which came into public awareness near the end of May 2012, highlights the compromise of MD5-hashed certificates used to set up man-in-the-middle attacks on Microsoft licensing and update mechanisms. Microsoft has since issued an emergency patch to numerous systems to move the three fraudulent certificates to the un-trusted store in an effort to close the door on the attack vector.
While Microsoft has eliminated this specific vulnerability to fraudulent Microsoft certificates, organizations with instances of MD5 certificates on their own networks (internal and external) remain vulnerable to MD5 compromise risk. Professional hackers and insiders can exploit MD5 vulnerabilities to spoof certificates to perform similar man-in-the-middle attacks in order to gain access to corporate assets. We have statistically valid samples which demonstrate that virtually all enterprises in the Global 3000 have MD5 certificates pervasively deployed throughout their networks today.
Venafi customers who have deployed Director Certificate Manager and who are running repetitive discoveries on their network will know the number and location of MD5 certificates on their network today. With that remediation data, we strongly recommend that you remove or replace these vulnerable certificates immediately.
If you are also managing the certificates and have enabled Provisioning then you can automatically replace the vulnerable certificates using the Provisioning features of Director.
We also recommend that all certificates be put under Director management and that no certificates be issued that do not conform to the policies you have established.
The major failure mode of this increasingly common attack on certificates is a lack of management attention to the policies and best practices.
As a Venafi customer you have the applications and platforms in place to manage certificates so that you are not vulnerable to the attack on certificates as evidenced by the Flame malware.
We are offering our customers a Rapid Evaluation Service that we can perform with you over the phone in less than one hour. The deliverable will be a report that identifies where your current implementation stands in terms of protecting you from certificate compromise attacks.
Please email firstname.lastname@example.org, or call us at 801-676-6900 to request the Rapid Evaluation Service. As always, you can contact your Account Executive, Sales Engineer or Customer Support contact for more information.
The Venafi Rapid Response Team
You can still receive a free assessment of your environment to determine your MD5 risks. Submit the Venafi Assessor™ form and a Venafi representative will contact you to help you with the fast and easy deployment. Assessor is simple to use and will quickly help you:
Suggested News Articles:
View this informative webinar to learn what happened with the Flame cyber espionage attack on Microsoft and how this new MD5 risk affects not only Global 2000 organizations, but also how it impacts you. Watch webinar now
Venafi Assessor is designed to help organizations develop and maintain best practices for critical security instruments. Using Assessor, IT and information security executives can rapidly discover critical SSL certificate, encryption key and certificate authority (CA) vulnerabilities. In addition to providing a comprehensive population inventory of all deployed certificates by issuer, Venafi Assessor delivers a succinct view of all issuing CAs (internal and external), vendor-issued certificates and self-signed certificates. Learn More
Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.