Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

D-Link Accidentally Publishes Private Keys Online

Networking equipment provider D-Link accidentally published a series of private code signing keys when releasing the source code of recent firmware updates under the GPL license.

Networking equipment provider D-Link accidentally published a series of private code signing keys when releasing the source code of recent firmware updates under the GPL license.

First discovered by a developer that goes by the name of bartvbl, the presence of the private keys used for certificate signing within the open source firmware has been already confirmed by D-Link, which released firmware updates, as Tweakers.net reports.

After purchasing a DCS-5020L-surveillance camera, bartvbl had a look at the firmware that D-Link made had made available as open source, and discovered that it included the aforementioned private keys for certificate signing, and that one of them was still valid.

Yonathan Klijnsma, a researcher at security firm Fox-IT, confirmed to SecurityWeek that the open source firmware included four code signing certificates that could be used to build applications seemingly coming from D-Link. However, only one of the certificate was found to be valid, while the others were expired for months or years.

The certificate found to still be valid was issued to VeriSign which is owned by Symantec and was discovered in a firmware update released on February 27. The certificate was valid for code signing between July 5 and September 3. The other certificates were issued to Starfield Technologies, Inc (expired in 2014), and for KEEBOX INC. and Alpha Networks Inc. (expired in 2011).

As Klijnsma explains, all of the certificates are expired at the moment, and they can no longer be used for application signing. However, these certificates are still validated for any application that has been signed before they expired, which could pose a significant threat, provided that cybercriminals knew about the existence of these private keys in the open source firmware.

“The thing is that expired certificates are still validated for code signed applications if the applications are signed _before_ the expiry date of the certificate. So at this point it’s not an issue if people sign it now because it expired and apps will thus not validate anymore but if someone knew about this before they expired they could have used it to validate the signing check. Even more so because, as said, the signed applications still validate after the certificate expires if the certificate isn’t revoked,” he says.

Klijnsma also checked the OS X keychain to verify whether the certificate was present on OS X too, and confirmed that it was. He notes that it is unclear whether it will validate for code signing on OS X but that there is a possibility that this would happen.

“Assuming the trusted root in the keychain validates for issueing (because it has the CA flag) and thus the chain onwards from this would also could mean packages signed with this would validate on OSX as well,” the researcher explains.

Symantec has been contacted on the matter and is expected to revoke the exposed certificate soon.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet