Some Bitdefender products break HTTPS certificate revocation
Carsten Eiram, the chief research officer of vulnerability intelligence firm Risk Based Security, found that the latest versions of several Bitdefender products, namely Bitdefender Antivirus Plus, Bitdefender Internet Security and Bitdefender Total Security, do not check the revocation status of SSL certificates before replacing them with new ones that are signed using a root certificate installed locally. The products use this technique in order to scan encrypted HTTPS traffic for potential threats.
While the certificate revocation oversight in Bitdefender products is not as serious as the HTTPS interception flaws found recently in other programs, like the Superfish adware preloaded on Lenovo laptops, its impact is not negligible, Eiram said.
If a website's certificate has been revoked by a certificate authority -- for example, because it was issued fraudulently or because its private key was compromised by hackers -- affected Bitdefender products will still accept it as valid. More importantly, as part of their HTTPS scanning feature, they will convert the revoked certificate into a certificate that local browsers will trust, despite the fact that under normal circumstances those browsers would reject the original certificate.
Eiram discovered the issue earlier this week while performing quick tests of the HTTPS scanning implementations in a few widely used security products, following an inquiry from the IDG News Service about possible Superfish-like flaws in other applications. IDG News Service helped report the issue to Bitdefender and the company developed a fix that will be included in a larger scheduled update next week.
The decision to report the flaw publicly ahead of a patch release was taken because the issue is very easy to find and because Bitdefender considers its impact to be low.
HTTPS scanning issues are something that a lot of people are focusing on, Eiram said. "Someone is bound to download and check certificate validation in various security products including Bitdefender. It's just a matter of downloading the product and then visiting a site with a revoked certificate to see the unsafe behavior."
One such site is https://revoked.grc.com. It has been set up by Gibson Research so that users can test whether their browsers and other software fail to check the revocation status of SSL certificates. If the site is loaded without a browser warning then certificate revocation is not properly verified.
"As the attack vector is quite small and difficult for an attacker to target, we did not consider it as a high priority update," said Alexandru Catalin Cosoi, Bitdefender's chief security strategist and global communications director, in an emailed statement. "We will scan the [HTTPS] traffic anyway for malicious payloads, which still renders our customers safe."
Disabling the HTTPS scanning feature in Bitdefender products is "definitely not an option," Cosoi said. Aside from this functionality being needed to detect potential malware served from HTTPS websites, it's also used for parental control, identity protection and several other features, he said.
Eiram believes that while not critical, the issue is more serious than Bitdefender estimates. However, he praised the company for its fast response. A one to two week turnaround from a vendor is usually very quick and a solid response time, said the researcher, who's a member of the CVE Editorial Board.
The Bitdefender products generate separate self-signed root certificates for every system they're installed on, so they don't have the same flaw as Superfish or the other programs that were found to be using the poorly designed Komodia HTTPS interception library.
The company's products also check that certificates presented by websites are not expired, are for the correct domain and are issued by a trusted certificate authority, unlike PrivDog, a program that was recently found to intercept HTTPS traffic in an insecure manner.
In order to exploit the certificate revocation oversight in Bitdefender products attackers would need to have a legitimate certificate for a website that has been revoked, as well as its corresponding private key. They would also need to be in a position to intercept connections between affected users and that website.
This can be done through DNS hijacking, compromising routers, ARP spoofing, impersonating Wi-Fi access points -- known as evil twin attacks -- and other techniques. Depending on where the attack is executed it could affect a small number of users -- for example those on a local area network -- or a large population, if done higher up in the Internet infrastructure by someone like the NSA or a country's government.
It would be considerably harder than targeting users of PrivDog, Superfish or Komodia-based products, but far from impossible.
First of all, attackers injecting data into HTTPS traffic, like the malicious payloads mentioned by Bitdefender, is not the only threat, Eiram said. Extracting sensitive information from it, including authentication tokens that would allow attackers to take over accounts, would also be possible.
The compromise of certificate private keys is not uncommon. In 2011, the Electronic Frontier Foundation found 73,345 cases where certificates were revoked because their private keys had been compromised. In addition, the Heartbleed flaw discovered in OpenSSL last year allowed attackers to extract sensitive data from HTTPS servers, including SSL private keys.
Security blunders or compromises at certificate authorities can also result in fraudulent certificates being issued. In 2011, hackers issued nine fraudulent SSL certificates for domain names owned by Google, Yahoo, Skype, Mozilla and Microsoft after compromising a Comodo-affiliated certificate registration authority.
That same year a Dutch certificate authority called DigiNotar was hacked and the attacker walked away with over 500 fraudulent certificates for various domain names. One of those certificates was later used in a mass surveillance attack against Gmail users in Iran.
Other similar incidents have happened since then, and certificate revocation played an important role in protecting users every time. Without it attackers can abuse fraudulent certificates for years, until their expiration date.
Cosoi argued that security products have a legitimate need to inspect HTTPS traffic and that, unlike adware programs, they do this to provide protection, not to profit. The practice of using a locally installed self-signed root certificate is a workaround that security products should be allowed to use, he said.
Eiram agreed, saying that the inability to inspect HTTPS traffic would be a significant limitation for such a product.
"It would be too simple for attackers to get around the Web browsing protection features by just getting users to visit malicious sites using HTTPS," he said. "However, it's important that security products implement proper certificate checks to ensure presented certificates are valid."