Skip to main content
banner image
venafi logo

Confirmation of the FLAME Attack Vector

Confirmation of the FLAME Attack Vector

June 8, 2012 | Gary Moore

A couple of days ago I wrote a quick post on FLAME and how the developers of the malware had been very creative in their attack vector. At that time there was still a considerable amount of work being done to validate the attack vector, but as I pointed out the evidence that existed pointed to a collision attack on the MD5 hashing algorithm that was used in generating two of the CAs’ root certificates signatures.

Today there is some confirmation that the attack did leverage the collision vector, as highlighted in an email to a cryptography discussion group. The approach of the developers was unique and had not been seen before, but the concept was the same concept that had been used in previous MD5 collision demonstrations, including those in 2008. As we discussed, the attackers then leveraged the fraudulent certificate to hijack the Windows update mechanism. It appears that the ongoing investigation is confirming what we have believed all along.

Microsoft's response to the fraudulent certificates was rapid but it only addresses the problems that existed in the Microsoft environment. It is imperative that organizations quickly determine if there are other CA certificates that exist in their system trust stores that could be as easily taken advantage of and compromised. We recommend that organizations stop issuing certificates with MD5 and remove from their trust stores any certificates that use MD5 within the signature hashing algorithm.

The other actions that were mentioned in the previous post should also be put into an organizations existing operational action plan including:

  • Look for known bad certificates and remove them;
  • Evaluate what roots certificates you trust, and why;
  • Look at what signing, hashing and key lengths are used and;
  • Look at what certificate lifetimes are indicated

These steps are the simple ones that need to be taken today. Moving to a comprehensive Key and Certificate Management System will ensure that the processes to maintain the environment can be automated.

FLAME demonstrated what can be done. Organizations need to take action to ensure that they do not get caught and burned by the next variant of FLAME.

Read the Venafi Security Alert: MD5 Vulnerability and learn more about how to identify your MD5 certificates.

Like this blog? We think you will love this.
compromised android platform certificate
Featured Blog

Compromised Platform Certificates Used to Sign Android Malware for Samsung, LG and Others

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more