Networking equipment provider D-Link accidentally published a series of private code signing keys when releasing the source code of recent firmware updates under the GPL license.
First discovered by a developer that goes by the name of bartvbl, the presence of the private keys used for certificate signing within the open source firmware has been already confirmed by D-Link, which released firmware updates, as Tweakers.net reports.
After purchasing a DCS-5020L-surveillance camera, bartvbl had a look at the firmware that D-Link made had made available as open source, and discovered that it included the aforementioned private keys for certificate signing, and that one of them was still valid.
Yonathan Klijnsma, a researcher at security firm Fox-IT, confirmed to SecurityWeek that the open source firmware included four code signing certificates that could be used to build applications seemingly coming from D-Link. However, only one of the certificate was found to be valid, while the others were expired for months or years.
The certificate found to still be valid was issued to VeriSign which is owned by Symantec and was discovered in a firmware update released on February 27. The certificate was valid for code signing between July 5 and September 3. The other certificates were issued to Starfield Technologies, Inc (expired in 2014), and for KEEBOX INC. and Alpha Networks Inc. (expired in 2011).
As Klijnsma explains, all of the certificates are expired at the moment, and they can no longer be used for application signing. However, these certificates are still validated for any application that has been signed before they expired, which could pose a significant threat, provided that cybercriminals knew about the existence of these private keys in the open source firmware.
“The thing is that expired certificates are still validated for code signed applications if the applications are signed _before_ the expiry date of the certificate. So at this point it’s not an issue if people sign it now because it expired and apps will thus not validate anymore but if someone knew about this before they expired they could have used it to validate the signing check. Even more so because, as said, the signed applications still validate after the certificate expires if the certificate isn’t revoked,” he says.
Klijnsma also checked the OS X keychain to verify whether the certificate was present on OS X too, and confirmed that it was. He notes that it is unclear whether it will validate for code signing on OS X but that there is a possibility that this would happen.
“Assuming the trusted root in the keychain validates for issueing (because it has the CA flag) and thus the chain onwards from this would also could mean packages signed with this would validate on OSX as well,” the researcher explains.
Symantec has been contacted on the matter and is expected to revoke the exposed certificate soon.