Remediate Flame MD5 Risks

To extinguish the risks of a Flame-style attack on your company, you need to find and remove all MD5 certificates immediately.

Remediate Flame MD5 Risks

Analyst Coverage

"Admittedly this is a complex topic, but the most important takeaway is this: the risk-based evaluation your company needs to make right now is not about your vulnerability to the Flame virus; it is about your vulnerability to MD5-signed certificates. If you are confident in knowing how many of these there are, and where they are, and what systems are potentially at risk as a result – well done." Full Report

"Organizations with roughly 200 or more documented X.509 certificates in use are high-risk candidates for unplanned expiry and having certificates that have been purchased but not deployed." Full Report

"To support the broader deployment of encryption, organizations with top performance have looked towards increased automation and centralized, heterogeneous approaches to key lifecycle management. Venafi is well-aligned with this Best-in-Class approach."

"Venafi's primary differentiator is its broad entity support for systems that utilize asymmetric keys and certificates. In addition, it implements flexible key lifecycle policies and administration functionality and automated discovery of keys and certificates in systems that support such activity."

"Venafi offers compelling advantages, such as being the early mover in this market, with proven deployments at marquee customers demonstrating its ability to scale and provide breadth of integration."

"When there are many hundreds of certificates from a variety of certificate authorities, the only ecumenical [universal], nonproprietary provider of a certificate management solution is Venafi. Other CA management systems are biased toward the particular CA by, for example, only supporting renewals from that specific CA." Full Report

"The emphasis on orchestration, in tandem with its scalability and interoperability, is tied to the evolution of Venafi's competitive landscape, and to the potential to frame its value in the context of risk management."

What is Flame malware?

The recently discovered Flame malware demonstrates how MD5-based certificates can be exploited to perform man-in-the-middle and other attacks.

Background

Based on currently available information, Flame was a sophisticated piece of malware designed to gather intelligence information in Iran and the Middle East. The developers of Flame were able to create fraudulent Microsoft digital certificates due to Microsoft’s use of the weak MD5 algorithm (proven hackable in 2005). These fraudulent certificates were used as part of HTTP man-in-the-middle attacks to distribute and install the Flame malware rapidly as a bona fide Microsoft update by masquerading as the Windows Update service.

What Happened?

Summary: Flame impersonated Microsoft, loaded malware, and that malware opened a “door” that enabled its creators to steal information.

Sequence of events:

  1. Microsoft certificate
    • Microsoft certificates based on MD5 hash algorithms were targeted
    • Certificate was remanufactured (using the cracked MD5 algorithm) which made it look like a genuine certificate
    • Hackers set up a man in the middle attack to get between Microsoft and the targeted machines
    • The targeted machines thought they were dealing directly with Microsoft
  2. Licensing and update services were attacked and compromised
    • Microsoft licensing
    • Windows update
  3. Code signing
    • Code was signed using fake certificate
    • Windows allowed the malware to run and install
  4. Flame Malware
    • Stole small parts of files
    • Sent to over 80 different DNS (URLs)
    • If content looked valuable malware instructed to get more

In response to Flame, Microsoft issued an emergency patch that explicitly identified the fraudulent certificates as “Untrusted Publishers” within Windows. This patch, once implemented, should protect organizations from the specific Microsoft MD5 vulnerability that was exploited by the Flame developers. MD5-based certificates were the open door, or attack vector, that allowed Flame to work. Microsoft closed their door by rendering the Microsoft specific MD5 certificates, invalid.

Measurable Successful Results

Best Practices

Function

Problems