Thursday, March 31, 2016

Exploiting SCEP

 on  with No comments 
In ,  
I'm sure I saw mention of this when it was first announced, but between the facts that there is not a verified attack, and my lack of use of SCEP in production, it has slipped my focus.  However, I've recently hit SCEP pretty hard while setting up the issuing CA in my test lab and came across it.  So here's a quick blurb.

Despite it's widespread usage, it does have it's drawbacks.  Concerns have been raised about it's inability to strongly authenticate certificate requests made by devices.  However, the same arguments apply to other competing protocols such as Certificate Management Protocol and Certificate Management over CMS.

In 2012, CERT released Vulnerability Note VU#971035, noting that SCEP does not strongly authenticate certificate requests. CERT noted that "SCEP was designed for use " a closed environment" and is not well suited for MDM and "bring your own device" (BYOD) applications where untrusted users and devices are in use." It was also noted that applications that use SCEP take different measures to authenticate users and devices. The impact of this report is that "an attacker could elevate their permissions by requesting a certificate of a different, possibly higher privileged user that would allow them to access resources that they would not otherwise be able to access."  However, vendors such as Apple, Cisco, and Microsoft are listed as "Not Affected."

Not long after the CERT Vulnerability Note was released, Mark Diodati published a blog post on Gartner, detailing the vulnerability, including information on potential exploitation and defense.  Mark notes that at the time, he was unaware of an attack on this in the wild, and in my limited searching, I didn't find any documented attacks yet either.  However, just because nobody as seen it in the wild yet doesn't mean that such an attack doesn't exist, or will not exist in the future.


Post a Comment

Discuss this post!