### INCIDENT REPORT - Misissuance of 2 CISCO VPN server authentication
certificates
---
>I -- How your CA first became aware of the problem (e.g. via a problem report
>submitted to your Problem Reporting Mechanism, a discussion in
>mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the
>time and date.
The Microsec Customer Service Department recovered the misissued certificates
during the final internal quality check before delivery.
-----
>II -- A timeline of the actions your CA took in response. A timeline is a
>date-and-time-stamped sequence of all relevant events. This may include events
>before the incident was reported, such as when a particular requirement became
>applicable, or a document changed, or a bug was introduced, or an audit was
>done.
**bvpn.mokk.hu**
serial : 03549d12dae60ababce088d2210a
hash : ce52002bb9bad4f15f0be21df4de7292c16aa985
issuance : 2020-11-05 10:20:06 UTC
revocation: 2020-11-06 08:17:23 UTC
**avpn.mokk.hu**
serial : 0354e7785c9a9de1adbc4947c60a
hash : e64f1d0608e6518933a86a7205e1354511903449
issuance : 2020-11-06 07:41:05 UTC
revocation: 2020-11-06 08:16:35 UTC
-----
>III -- Whether your CA has stopped, or has not yet stopped, issuing
>certificates with the problem. A statement that you have will be considered a
>pledge to the community; a statement that you have not requires an explanation.
The affected CISCO VPN Server Authentication certificate profile was suspended,
the certificate issuance with other certificate profiles has not been stopped.
-----
>IV -- A summary of the problematic certificates. For each problem: number of
>certs, and the date the first and last certs with that problem were issued.
Two certificates were issued for CISCO VPN servers with longer than 398
days validity
The first certificate was issued on 2020-11-05
The last certificate was issued on 2020-11-06
Booth certificates were revoked on 2020-11-06
The whole problem was solved within 24 hours
-----
>V -- The complete certificate data for the problematic certificates. The
>recommended way to provide this is to ensure each certificate is logged to CT
>and then list the fingerprints or crt.sh IDs, either in the report or as an
>attached spreadsheet, with one list per distinct problem.
bvpn.mokk.hu https://crt.sh/?id=3606063415
avpn.mokk.hu https://crt.sh/?id=3609999362
-----
>VI -- Explanation about how and why the mistakes were made or bugs introduced,
>and how they avoided detection until now.
This was the first issuance of CISCO VPN Server Authentication certificates
since 2020-09-01.
Microsec has a version management system for the certificate profiles, which is
maintained through SVN.
The immediate investigation could find an error in this system, one component
of the affected CISCO VPN Server Authentication certificate profile was not
covered by the version control, and this way this component left unchanged at
2020-09-01.
-----
>VII -- List of steps your CA is taking to resolve the situation and ensure
>such issuance will not be repeated in the future, accompanied with a timeline
>of when your CA expects to accomplish these things.
**Immediate actions**
Microsec revoked the affected two certificates
The affected certificate profile was suspended
An investigation was made to recover the reason of the misissuance
Microsec identified the root of the problem:
- one component of the affected certificate profile was not covered by
the configuration management system
- due to this fault this certificate profile left unchanged at
2020-09-01
Microsec corrected the affected certificate profile component
Microsec added the missing certificate profile component to the version
control system
The issuance of CISCO VPN Server certificates was enabled again
**Further actions**
Microsec will review all the certificate profiles for similar problems
Microsec will check the whole certificate profile management system
> **Planned deadline is 2020-11-20**
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
