Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

D-Link Accidentally Publishes Private Keys Online

Networking equipment provider D-Link accidentally published a series of private code signing keys when releasing the source code of recent firmware updates under the GPL license.

Networking equipment provider D-Link accidentally published a series of private code signing keys when releasing the source code of recent firmware updates under the GPL license.

First discovered by a developer that goes by the name of bartvbl, the presence of the private keys used for certificate signing within the open source firmware has been already confirmed by D-Link, which released firmware updates, as Tweakers.net reports.

After purchasing a DCS-5020L-surveillance camera, bartvbl had a look at the firmware that D-Link made had made available as open source, and discovered that it included the aforementioned private keys for certificate signing, and that one of them was still valid.

Yonathan Klijnsma, a researcher at security firm Fox-IT, confirmed to SecurityWeek that the open source firmware included four code signing certificates that could be used to build applications seemingly coming from D-Link. However, only one of the certificate was found to be valid, while the others were expired for months or years.

The certificate found to still be valid was issued to VeriSign which is owned by Symantec and was discovered in a firmware update released on February 27. The certificate was valid for code signing between July 5 and September 3. The other certificates were issued to Starfield Technologies, Inc (expired in 2014), and for KEEBOX INC. and Alpha Networks Inc. (expired in 2011).

As Klijnsma explains, all of the certificates are expired at the moment, and they can no longer be used for application signing. However, these certificates are still validated for any application that has been signed before they expired, which could pose a significant threat, provided that cybercriminals knew about the existence of these private keys in the open source firmware.

“The thing is that expired certificates are still validated for code signed applications if the applications are signed _before_ the expiry date of the certificate. So at this point it’s not an issue if people sign it now because it expired and apps will thus not validate anymore but if someone knew about this before they expired they could have used it to validate the signing check. Even more so because, as said, the signed applications still validate after the certificate expires if the certificate isn’t revoked,” he says.

Klijnsma also checked the OS X keychain to verify whether the certificate was present on OS X too, and confirmed that it was. He notes that it is unclear whether it will validate for code signing on OS X but that there is a possibility that this would happen.

Advertisement. Scroll to continue reading.

“Assuming the trusted root in the keychain validates for issueing (because it has the CA flag) and thus the chain onwards from this would also could mean packages signed with this would validate on OSX as well,” the researcher explains.

Symantec has been contacted on the matter and is expected to revoke the exposed certificate soon.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Security awareness training firm KnowBe4 has named Bryan Palma as president and CEO effective May 5.

Threat intelligence firm Team Cymru has appointed Joe Sander as its Chief Executive Officer.

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.