(DC) InCommon Certificate Chain Issue
Description
The Information Security Office (ISO) recently sent out e-mail notifications regarding an "Awareness of Potential Threat" regarding “A known CA SSL certificate in the certificate chain has been signed using a weak hashing algorithm.” and included a recommendation to "contact the Certificate Authority to have the certificate reissued."
DO NOT request a new SSL certificate to address this specific issue. The CA SSL certificate in your application or service must be replaced to address this issue.
Table of Contents
Email from the ISO (September 2024)
From: UT Information Security Office <security@utexas.edu>
Sent: Tuesday, September 10, 2024 2:21 AM
To: …
Subject: UT/ISO -- Awareness of Potential Threat
============================================================
The following alert is the product of the Cyber Hunting Orchestrated Maneuvers Platform (C.H.O.M.P)
service created by the UT Austin Information Security Office. This is an informational notice only.
============================================================
The Information Security Office has verified that the following systems are susceptible to a notable
vulnerability or have a possibly unnecessary service exposed to the internet and we wanted to bring
them to your attention.
(SEE ATTACHED CSV FOR MORE DETAILS AND REMEDIATION INFORMATION)
------------------------------
Notes
------------------------------
This action aligns with the risk criteria laid out in the ISO's Vulnerability Management Program
(https://security.utexas.edu/vmp ).
You can view these results and others via our Managed Splunk Service:
https://splunk.security.utexas.edu/en-US/app/mss_app/tenable_hosts
We strongly recommend deploying Nessus Agents throughout your network, including on systems processing
Confidential data, where it is required by policy: https://security.utexas.edu/nessus-agents
If network isolation is needed to address this issue (e.g., host firewalls aren't possible) then the
General Network must be leveraged.
The General Network offers one of the most secure networks on campus with new security features being
added frequently.
Note, NAT is not considered isolation. If a port must be publicly exposed to inbound traffic from the
internet an exception must be filed at https://isora.security.utexas.edu/r/compliance .
Please let us know if you believe any of this information to be inaccurate so that we can be of better
service in the future.
Thank you for your vigilance.
Information Security Office
The University of Texas at Austin
security@utexas.edu
http://security.utexas.edu
======================================= Details about the vulnerability...
The remote service uses a known CA certificate in the SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g., MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks (CVE-2004-2761, for example). An attacker can exploit this to generate another certificate with the same digital signature, allowing the attacker to masquerade as the affected service.
Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm.
Note that this plugin will only fire on root certificates that are known certificate authorities as listed in Tenable Community Knowledge Article 000001752. That is what differentiates this plugin from plugin 35291, which will fire on any certificate, not just known certificate authority root certificates.
Known certificate authority root certificates are inherently trusted and so any potential issues with the signature, including it being signed using a weak hashing algorithm, are not considered security issues.
This article provides an explanation of the issue and how to resolve it.
Why am I receiving this email?
The enrollment emails that customer receive upon the generation or renewal of SSL certificates from the Digital Certificates service (aka InCommon certificates) include links to the following:
"AAA Certificate Services" root certificate
"USERTrust RSA Certification Authority" intermediate certificate
that are detailed in the diagram "Trust Chain Path B" found at the bottom the page 
Knowledge Base
The problem
Most customers dutifully use the information that is provided to them in this email and install the "AAA Certificate Services" root certificate as part of their certificate chain within their application or service. This action may result in an "Awareness of Potential Threat" email from the ISO regarding the use of SHA-1 certificates.
In the guidance from ISO, they recommend that you contact the Certificate Authority to have the certificate reissued. The certificate is one owned and supplied by our certificate authority and can not be reissued. Additionally reissuing the SSL certificate for you application or service will not resolve the issue.
The solution
To address the ISO notice, affected customers can migrate from "Trust Chain Path B" to "Trust Chain Path A" replacing their certificate chain with "USERTrust RSA Certification Authority" root certificate and the "InCommon RSA Server CA 2" Intermediate Certificate.
Please review all certificates in your certificate chain to correctly identify each one. You can use the site “certificate decoder” to determine what PEM encoded block is which certificate.
You need remove BOTH "AAA Certificate Services" root certificate and the "USERTrust RSA Certification Authority" intermediate certificate and replace them with the above certificates.
Please find the certificates for "Trust Chain Path A" in the following locations:
This “Digitial Certificates” WIKI article: https://cloud.wikis.utexas.edu/wiki/x/qoJWAg
Download from InCommon (1199354) and InCommon (8079908730).
Please see the documentation for your particular application or service for instructions on how to replace the certificates.
Technical Details for the various certificates
The "AAA Certificate Services" root certificate has the following thumbprints:
SHA-256: d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef4SHA-1: d1eb23a46d17d68fd92564c2f1f1601764d8e349
The "USERTrust RSA Certification Authority" intermediate certificate has the following thumbprints:
SHA-256: 68b9c761219a5b1f0131784474665db61bbdb109e00f05ca9f74244ee5f5f52bSHA-1 d89e3bd43d5d909b47a18977aa9d5ce36cee184c
The "USERTrust RSA Certification Authority" root certificate has the following thumbprints:
SHA-256: e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2SHA-1: 2b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e