Juniper Networks issued a wide ranging up date last week that addressed a range of vulnerabilities, including a critical CVE centred on a Turkish certificate authority that a researcher first raised the alarm about in late 2022.
CISA issued an alert on Friday flagging up that Juniper Networks had released a security bulletin addressing “multiple vulnerabilities affecting Juniper Secure Analytics optional applications.”
Secure Analytics is Juniper’s SIEM system, and Juniper describes it as “an essential part of the Juniper Connected Security portfolio”.
CISA said in its alert that “A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.”
The network vendor’s bulletin addressed 20 different issues, ranging in severity from 4.3 and up. The most critical came in at a CVSS 9.8, and regarded Certifi, [Mozilla’s] “carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.”
In its bulletin, Juniper said “Certifi prior to version 2023.07.22 recognizes ‘e-Tugra’ root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from ‘e-Tugra’ from the root store.”
Ankara-based e-Turga had been called out by US developer and researcher Ian Carroll, who in 2022 revealed “a number of alarming issues that worry me as to the security practices inside their company.”
These included a series of issues that Carroll said allowed him to access customer information. More worryingly, Carroll wrote that using these issues on the panel customers used to purchase certificates, meant “we could capture password reset emails and take over any account on this site”. He also flagged trivial and critical issues that “which could lead to user account takeover.”
Carroll said customer panels for certificate authorities often allow re-issuing existing certificates without further validation. “These would be a critical issue for any user of e-Tugra.”
As Microsoft principal product security engineer, Apostolos Giannakidis told The Stack, a certificate root store functions as the foundation of digital trust.
“It is the basis for the secure exchange of information online. In the unfortunate event of a compromise in the Certificate Authority infrastructure, the repercussions can be extensive.”
As well jeopardizing the reliability of secure online communications, he said, it “exposes users and organizations to a spectrum of threats, ranging from impersonation and spoofing/phishing attacks to data interception leading to the exposure of sensitive information such as login credentials, personal data, and financial transactions.”
Mozilla launched an investigation into the situation. e-Tugru insisted it had treated the issue with “utmost seriousness”, acknowledged administrative weaknesses in its response to the community, and said it had taken appropriate actions. It insisted “the exploited application did not have any impact on the certificate life cycle process.”
But, as Giannakidis explained, the investigation “concluded that e-Turga demonstrated that they are not able to handle the responsibilities that come with being a publicly trusted CA.”
e-Tugra’s root certificates were deprecated from the Mozilla and Chromium root stores. The July 2023 rev of Certifi removed the e-Tugru certs, giving the move a rating of “high severity”.
Other vendors reporting the flaw “fixed” in affected packages last year included Red Hat.
However, Juniper’s Secure Analytics users had to wait longer.
We asked Juniper why it had taken so long to make the change, and if it had any implications for customers. We haven’t heard back yet.
We also contacted e-Tugra but have not had a reply.
Kevin Bocek, VP Ecosystem and Community at machine identity security specialist Venafi said the prospect of a Certificate Authority (CA) being compromised “is bad news, as they play such a crucial role in keeping the internet safe.
He said that customers should consider “what other CAs, like e-Tugra, Juniper is trusting, as this could be sign of larger problems.
“Customers in the US, Europe and Asia don’t need to use e-Tugra, so Juniper should not be risking customers by allowing unnecessary CAs – from Diginotar to Symantec we’ve seen time and time again issues that broadly trusting CAs creates.”