CVE-2022-21672

make-ca is a utility to deliver and manage a complete PKI configuration for workstations and servers. Starting with version 0.9 and prior to version 1.10, make-ca misinterprets Mozilla certdata.txt and treats explicitly untrusted certificates like trusted ones, causing those explicitly untrusted certificates trusted by the system. The explicitly untrusted certificates were used by some CAs already hacked. Hostile attackers may perform a MIM attack exploiting them. Everyone using the affected versions of make-ca should upgrade to make-ca-1.10, and run `make-ca -f -g` as the `root` user to regenerate the trusted store immediately. As a workaround, users may delete the untrusted certificates from /etc/pki/tls and /etc/ssl/certs manually (or by a script), but this is not recommended because the manual changes will be overwritten next time running make-ca to update the trusted anchor.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/lfs-book/make-ca/issues/19	Issue Tracking Mitigation Third Party Advisory
https://github.com/lfs-book/make-ca/pull/20	Patch Third Party Advisory
https://github.com/lfs-book/make-ca/security/advisories/GHSA-m5qh-728v-4xrx	Patch Third Party Advisory
https://lists.linuxfromscratch.org/sympa/arc/blfs-support/2022-01/msg00020.html	Mailing List Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:linuxfromscratch:make-ca:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-01-10 21:15

Updated : 2022-01-24 19:40

NVD link : CVE-2022-21672

Mitre link : CVE-2022-21672

CVE.ORG link : CVE-2022-21672

JSON object : View

Products Affected

linuxfromscratch

make-ca

CWE

NVD-CWE-Other CWE-115

Misinterpretation of Input

{"id": "CVE-2022-21672", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2022-01-10T21:15:08.043", "references": [{"url": "https://github.com/lfs-book/make-ca/issues/19", "tags": ["Issue Tracking", "Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/lfs-book/make-ca/pull/20", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/lfs-book/make-ca/security/advisories/GHSA-m5qh-728v-4xrx", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://lists.linuxfromscratch.org/sympa/arc/blfs-support/2022-01/msg00020.html", "tags": ["Mailing List", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-115"}]}], "descriptions": [{"lang": "en", "value": "make-ca is a utility to deliver and manage a complete PKI configuration for workstations and servers. Starting with version 0.9 and prior to version 1.10, make-ca misinterprets Mozilla certdata.txt and treats explicitly untrusted certificates like trusted ones, causing those explicitly untrusted certificates trusted by the system. The explicitly untrusted certificates were used by some CAs already hacked. Hostile attackers may perform a MIM attack exploiting them. Everyone using the affected versions of make-ca should upgrade to make-ca-1.10, and run `make-ca -f -g` as the `root` user to regenerate the trusted store immediately. As a workaround, users may delete the untrusted certificates from /etc/pki/tls and /etc/ssl/certs manually (or by a script), but this is not recommended because the manual changes will be overwritten next time running make-ca to update the trusted anchor."}, {"lang": "es", "value": "make-ca es una utilidad para entregar y administrar una configuraci\u00f3n PKI completa para estaciones de trabajo y servidores. A partir de la versi\u00f3n 0.9 y versiones anteriores a 1.10, make-ca malinterpreta Mozilla certdata.txt y trata los certificados expl\u00edcitamente no confiables como si fueran confiables, causando que esos certificados expl\u00edcitamente no confiables sean confiados por el sistema. Los certificados expl\u00edcitamente no confiables fueron usados por algunas CAs ya hackeadas. Los atacantes hostiles pueden llevar a cabo un ataque de tipo MIM explot\u00e1ndolos. Todos los que usen las versiones afectadas de make-ca deber\u00edan actualizar a make-ca-1.10, y ejecutar \"make-ca -f -g\" como usuario \"root\" para regenerar el almac\u00e9n confiable inmediatamente. Como soluci\u00f3n, los usuarios pueden borrar los certificados no confiables de /etc/pki/tls y /etc/ssl/certs manualmente (o mediante un script), pero no es recomendado porque los cambios manuales ser\u00e1n sobreescritos la pr\u00f3xima vez que sea ejecutado make-ca para actualizar el anclaje confiable"}], "lastModified": "2022-01-24T19:40:43.103", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfromscratch:make-ca:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9DF45D07-0CDF-49E7-B12B-1A17B3357573", "versionEndExcluding": "1.10", "versionStartIncluding": "0.9"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2022-21672

6.5^/10

4.3^/10

Attach tags to `CVE-2022-21672`