Executive Summary

Summary
Title NetNanny uses a shared private key and root CA
Informations
Name VU#260780 First vendor Publication 2015-04-20
Vendor VU-CERT Last vendor Modification 2015-05-07
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#260780

NetNanny uses a shared private key and root CA

Original Release date: 20 Apr 2015 | Last revised: 07 May 2015

Overview

NetNanny uses a shared private key and root Certificate Authority (CA), making systems broadly vulnerable to HTTPS spoofing.

Description

NetNanny installs a Man-in-the-Middle (MITM) proxy as well as a new trusted root CA certificate. The certificate used by NetNanny is shared among all installations of NetNanny. Furthermore, the private key used to generate the certificate is also shared and may be obtained in plaintext directly from the software. An attacker may use this shared private key to generate new certificates that would be signed by and therefore trusted by NetNanny. An affected user would not be alerted to a false malicious HTTPS website as NetNanny would trust the spoofed certificate. NetNanny has provided more information on this issue on their FAQ.

We have confirmed that NetNanny version 7.2.4.2 is affected. Other versions may also be affected.

For more information on the impact of this issue on SSL inspection, please see Will Dormann's CERT/CC blog post on SSL Inspection.

Impact

An attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering browser certificate warnings in affected systems.

Solution

Update NetNanny

ContentWatch has released NetNanny for Windows version 7.2.5.1 which addresses these issues. Affected users should update as soon as possible.

Disable SSL filtering and remove the certificate

Affected users can disable SSL filtering using the interface, and manually delete the certificate from the operating system's certificate store. This prevents the issue described above while leaving most other features of NetNanny intact.

Uninstall NetNanny

Uninstalling NetNanny removes the root CA certificate from the operating system's certificate store.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Content WatchAffected27 Mar 201505 May 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.8AV:N/AC:L/Au:S/C:C/I:N/A:N
Temporal6.5E:F/RL:U/RC:C
Environmental4.9CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://www.netnanny.com/products/netnanny/faq
  • https://www.cert.org/blogs/certcc/post.cfm?EntryID=221

Credit

Thanks to Imran Ghory for reporting this issue to us.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:Unknown
  • Date Public:20 Apr 2015
  • Date First Published:20 Apr 2015
  • Date Last Updated:07 May 2015
  • Document Revision:45

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/260780

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2015-05-07 17:24:11
  • Multiple Updates
2015-05-06 00:25:42
  • Multiple Updates
2015-04-22 21:25:20
  • Multiple Updates
2015-04-20 21:25:32
  • First insertion