Check Point Advisories

SSL Certificate Forgery via MD5 Collision Attacks

Vulnerability
Protection

Check Point Reference:	CPAI-2009-001
Date Published:	5 Jan 2009
Severity:	Critical
Last Updated:	Monday 05 January, 2009
Source:
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description	Public key infrastructure (PKI) is a mechanism used for issuing digital certificates for secure websites. A critical vulnerability was detected in PKI that enables attackers to create a forged digital certificate that will be trusted by all common web browsers. The vulnerability is due to a weakness in the MD5 algorithm - the hashing algorithm used to verify the uniqueness of many digital certificates in a SSL secure transaction - that enables attackers to create 'collision attacks', using the same MD5 hash to create forged certificates.Using a forged certificate, an attacker can tamper with data sent to SSL secure sites and execute practically undetectable phishing attacks against these sites.

Protection Overview

This protection will be able to detect and block SSL connection attempts to Web sites whose certificate may have been forged using the recently discovered collision attack.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

In the IPS tab, click Protections and find the SSL Certificate Forgery via MD5 Collision Attacks protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: Web Client Enforcement Violation.
Attack Information: Suspicious SSL certificate forgery via MD5 collision attacks