HTTPS cert flingers Trustico, SSL Direct go TITSUP after website security blunder blabbed
Add remote-code execution hole to mass-revocation drama
The websites for HTTPS certificate reseller Trustico, and one of its partners, SSL Direct, took a dive on Thursday – after a critical and trivial-to-exploit security flaw in Trustico.com was revealed on Twitter.
The vulnerability could be leveraged by miscreants to execute arbitrary commands on the website's host server. A lack of input sanitization allowed carefully crafted commands, submitted as a URL in a web form, to be run on the underlying Linux-powered system, as root no less, meaning anyone who found and exploited the bug could take over the dot-com's web servers.
On Wednesday, UK-based Trustico hit the headlines after its CEO emailed the private keys to 23,000 Trustico-sold, Symantec-branded SSL/TLS certs to certificate authority DigiCert, forcing the latter to revoke the certs as per the industry's security standards. DigiCert owns and operates the Symantec umbrella of HTTPS certificate issuers.
Trustico stopped selling Symantec-branded certificates in mid-February, and will in future resell Comodo's HTTPS certs, ahead of Google Chrome and Mozilla Firefox automatically rejecting Symantec-branded SSL/TLS certificates later this year. Trustico appears to have wanted to move its customers onto Comodo-issued certificates, and one way of doing this was to demand DigiCert revoke 50,000-odd Symantec-branded certificates sold via Trustico.
DigiCert will now cancel the 23,000 certs linked to the emailed private keys. What's happening with the other 27,000 isn't clear amid all this messy drama. Trustico said it recovered the "private keys from cold storage," having kept them for revocation purposes. Generally speaking, the only people who ought to retain a HTTPS certificate's private key is the holder and owner of the certificate, and not usually a reseller or other intermediary.
Trustico's staff have insisted the Brit biz has done nothing wrong: it just wanted the certs revoked. DigiCert was not impressed.
Now the website goes down
On Thursday morning, Serbian security researcher Predrag Cujanović tweeted details of a critical flaw in Trustico's website. The site was pulled offline – it just returns a 503 error – a move that also took out the website of SSL Direct, which uses Trustico as its "technology and solution provider." SSLDirect.com was sharing Trustico.com's server, it appears.
"This vulnerability was public already (that's how I found it), I only pointed out how bad it is (a web service running as root user)," Cujanović later explained. "There was no protection in place and I didn't read any sensitive information."
Perhaps someone ran
rm -rf --no-preserve-root / on the box. No, don't try that at home. Or work.
Here’s another twist in Trustico thing - there’s a reseller of Trustico (who themselves are a reseller) called SSL Direct, who have websites in lots of countries. They’re also offline as hosted in same server as Trustico. pic.twitter.com/GFK0x5RjWf— Kevin Beaumont (@GossiTheDog) March 1, 2018
At time of going to publication, Trustico's website was still down, and there was no official word on the cause from the company, which has been silent on social media and has not returned our requests for comment. ®
Updated to add
Trustico director Zane Lucas has been in touch to say the website's server was not connected to systems holding customer information, and the vulnerable web app was a tool for inspecting websites' certificates rather than a service involving customer data. The site was taken down while the biz investigates, we're told.
"We can’t go into the specifics, but what I can say to you is that we shut down the development tools and the web server they were running on temporarily to investigate the tool in question," Lucas told us.
"We haven’t found any evidence of a breach, though we disabled the tools pending a full investigation.
"It should be noted that the server that the tools are running on are not connected with any databases or services that contain customer data. The tools in question are development tools that customers can use to learn the intricacies of an SSL certificate, as indicated on the page – they are not designed for production use."
TITSUP, abbr.: Total Inability To Sell Usual Products