Overview
NetNanny uses a shared private key and root Certificate Authority (CA), making systems broadly vulnerable to HTTPS spoofing.
Description
NetNanny installs a Man-in-the-Middle (MITM) proxy as well as a new trusted root CA certificate. The certificate used by NetNanny is shared among all installations of NetNanny. Furthermore, the private key used to generate the certificate is also shared and may be obtained in plaintext directly from the software. An attacker may use this shared private key to generate new certificates that would be signed by and therefore trusted by NetNanny. An affected user would not be alerted to a false malicious HTTPS website as NetNanny would trust the spoofed certificate. NetNanny has provided more information on this issue on their FAQ. We have confirmed that NetNanny version 7.2.4.2 is affected. Other versions may also be affected. |
Impact
An attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering browser certificate warnings in affected systems. |
Solution
Update NetNanny |
Disable SSL filtering and remove the certificate |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 6.8 | AV:N/AC:L/Au:S/C:C/I:N/A:N |
| Temporal | 6.5 | E:F/RL:U/RC:C |
| Environmental | 4.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Imran Ghory for reporting this issue to us.
This document was written by Garret Wassermann.
Other Information
| CVE IDs: | None |
| Date Public: | 2015-04-20 |
| Date First Published: | 2015-04-20 |
| Date Last Updated: | 2015-05-07 14:36 UTC |
| Document Revision: | 46 |