Executive Summary

Informations
Name TA12-251A First vendor Publication 2012-09-07
Vendor US-CERT Last vendor Modification 2012-09-07
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

Microsoft has announced the availability of an update to Windows that restricts the use of certificates with RSA keys that are less than 1024 bits in length. Microsoft is planning to release this update through Microsoft Update in October 2012. System administrators of Microsoft Windows platforms should assess the impact of this update on their environment before any wide-scale deployment.

Description

Microsoft's KB2661254 article states in part:

"The strength of public-key-based cryptographic algorithms is determined by the time that it takes to derive the private key by using brute-force methods. The algorithm is considered to be strong enough when the time that it takes to derive private key is prohibitive enough by using the computing power at disposal. The threat landscape continues to evolve. Therefore, Microsoft is further hardening the criteria for the RSA algorithm with key lengths that are less than 1024 bits long.

After the update is applied, only certificate chains that are built by using the CertGetCertificateChain function are affected. The CryptoAPI builds a certificate trust chain and validates that chain by using time validity, certificate revocation, and certificate policies (such as intended purposes). The update implements an additional check to make sure that no certificate in the chain has an RSA key length of less than 1024 bits."

Impact

The private keys used in certificates with RSA keys that are less than 1024 bits in length can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

Solution

US-CERT recommends that system administrators of Microsoft Windows platforms read Microsoft's KB2661254 article and perform an extensive test of the update before doing any wide-scale deployment in their environment. The update will be sent to Microsoft Update for the October 2012 patch cycle. System administrators can obtain the update now from Microsoft's Download Center.

Original Source

Url : http://www.us-cert.gov/cas/techalerts/TA12-251A.html