Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against SSL Certificate Forgery via MD5 Collision Attacks

Subscribe

Check Point Reference: CPAI-2009-001
Date Published:
Severity:
Last Updated:
Source: Description of SSL Certificate Forgery Attack
Microsoft Security Advisory (961509)
Mozilla Security Blog
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
VSX
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Users of Web browsers
Vulnerability Description
A new attack affecting digital certificates using the MD5 hash function has been discovered by a group of security researchers. The researchers have identified vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure website. The attack takes advantage of a weakness in the MD5 cryptographic hash function that allows the construction of different messages with the same MD5 hash, known as an MD5 "collision". The researchers were able to successfully create a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate can be used to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.
Vulnerability Details
With a rogue CA certificate, certificate validation performed by browsers can be subverted and malicious attackers might be able to monitor or tamper with data sent to secure websites. Attackers would be able to perform man-in-the-middle attacks and execute practically undetectable phishing attacks against such sites, tricking users into disclosing sensitive information such as social security numbers, credit card numbers and account usernames and passwords.

Protection Overview
By enabling this protection, SmartDefense will be able to detect and block SSL connection attempts to Web sites whose certificate may have been forged using the recently discovered collision attack.

In order for the protection to be activated, update your VPN-1 product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Client Protections.
2. Select the following protection:

SSL Certificate Forgery via MD5 Collision Attacks

3. In the configuration pane, under Settings > Mode, check Active.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Invalid SSL Packet
Attack Information: Suspicious SSL certificate forgery via MD5 collision attacks

VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Client Protections.
2. Select the following protection:

SSL Certificate Forgery via MD5 Collision Attacks

3. In the configuration pane, under Settings > Mode, check Active.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Invalid SSL Packet
Attack Information: Suspicious SSL certificate forgery via MD5 collision attacks

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Network Security > SSL, and select the SSLv3/TLS Server Hello group.
3. Click SSL Certificate forgery alert (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged: 

Alert Name: SSLv3/TLS Server Hello
Description: SSL Certificate forgery alert