Skip to main content
banner image
venafi logo

Are You Still Using Vulnerable Certificates on Your Network? [Are You Sure?]

Are You Still Using Vulnerable Certificates on Your Network? [Are You Sure?]

vulnerable certificates
October 3, 2019 | Mark Miller


Insecure machine identities can wreck your world. Unfortunately, if you don’t really understand what you are doing with your keys and certificates, it is extremely easy for them to be vulnerable. But the problem is that these vulnerable certificates are like a ticking time bomb. You may never know how exposed you are until there is a problem.

That’s why Machine Identity Management is a must. With the right solution in place, you can set high standards for your machine identities and make sure that they are maintained across your entire organization. By finding and replacing any certificates that don’t meet your rigid standards for security, you can protect yourselves from a potential disaster.
 

We discovered a ticking time bomb

Granted, it’s not every day you come across a disaster waiting to happen, but I did the other day when I was helping a customer troubleshoot an issue with certificates on their F5 server. The customer reported that Venafi was failing to connect to an F5 server in order to manage all the virtual IPs. As we dug into it, we found some problems with the connection.
 

Namely, the certificates outlived their validity periods (some as long as 10 years previously!) Plus, they were still using vulnerable MD5 and SHA-1 algorithms that had been deprecated for quite a long time. While public browsers no longer accept these algorithms, many organizations still have some in their internal systems that they have overlooked, were simply never able to locate, or worse yet, did not understand.
 

When Venafi encountered the bad certificate it would not let admins connect to the F5 server. Venafi was not broken, it was a warning and a stop gap to keep the organization safe. “Thank you Venafi for knowing that the connection was not healthy!”
 


 

There are multiple attack vectors available with these vulnerable certificates. Issues, such as weak algorithms, make the connection vulnerable enough that you could capture the credentials being passed over the connection. We also noticed that the F5 Administrative credential was shared among all the F5 servers. This means that even the F5 servers with good machine identities are now exposed due to the server with a bad machine identity. This translates to thousands of sites that could be/could have been compromised, over the last 10+ years.
 

Want to learn more about machine identity management? See our Dummies Guide.

What you can do

It is a challenge to find certain trusted roles that have relevant PKI experience and understand enough or have enough time to effectively manage your machine identities. Venafi can help here.

We’ll help you:
 

  1. Set enforced policy to issue certificates that adhere to best practices only
  2. Find certificate vulnerabilities so you can correct them
  3. Alert your security team when there is a problem with machine identities
  4. Create unique credentials for each F5 server so you don’t expose everything due to one bad server
     

The security team we worked with wanted us to force Venafi to just accept the expired MD5 certificate and they demonstrated how easy it is to click past the certificate warning box. There is a fundamental lack of understanding of the issue. So, if I was going to choose an attack vector here, I think I would just go phishing and catch plenty of Sucker fish. Instead, I recommended the following:

Remediation actions

  1. Stop access to these servers.
  2. Do targeted network discovery
  3. Report and Remediate vulnerabilities
  4. Create larger planned network discovery
  5. Report and Remediate
  6. Reform best practices and educate trusted role

Following best practices is awesome, if -   

Following best practices is awesome. But if you only do the minimum, you may still face challenges that may still impact your security. Here’s an example. Even after we explained this situation and the gravity of it to the organization, they issued a new certificate and even at SHA-2 there were still problems that we needed to help educate on.

Here are issues that would still need to be addressed in the new certificates:

  1. Still self-signed
  2. Common name of LocalHost
  3. Validity period of 10 years
  4. Not protected by any company or industry policies/best practices
     


Do you have any vulnerable certificates in your network?


 

Related Posts

 

Like this blog? We think you will love this.
acme-protocol-and-https
Featured Blog

What is the Automated Certificate Management Environment (ACME) Protocol?

How does it work?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Mark Miller
Mark Miller

Mark Miller is Senior Director, Enterprise Security Support, at Venafi, where he works with hundreds of the world’s largest companies to develop and implement strong, resilient cybersecurity strategies across a constantly evolving set of interlocking technologies. Mark has focused on building and leading strong teams to solve difficult product issues.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more