DigiCert, spokesperson for SSL / TLS certificates, warned that he too had suffered at the hands of the Salty criminals because a key used for time stamps on signed certificates (SCT) was potentially compromised.
The company joins Ghost.org and LineageOS to be the target of only making wells that attackers exploited a vulnerability revealed (and corrected) in the Salt configuration tool over the weekend, spraying the exposed infrastructure with cryptocurrency mining software.
In the case of DigiCert, it seems that the attackers could have had access to the signing key of a certificate transparency server (CT) if they were not so concerned with running the data mining software . However, since the DigiCert team could not prove that the keys had not been requested, the prudent decision was made to assume that harmful activities had occurred and to act accordingly.
For clarity, Digicert CT log 2 has been rated as dangerous due to the vulnerability.
– Jeremy Rowley (@GreatAmus) May 4, 2020
Write in a certificate transparency forum, DigitCert for business development, Jeremy Rowley assured users that “all other DigiCert CT journals are unaffected [sic] because they run on a separate infrastructure. “
“The attacker,” said Rowley, “does not seem to realize that they had access to the keys and were performing other services on the [infrastructure]. “
He added that “Digicert's CT logs are operated in an environment separate from HQ operations. In fact, the unique CT logs are operated [separately] from other CT logs, so the event is really limited to CT2. “
Still not great, huh?
For his part, Alex Peay, executive vice-president of SaltStack, wanted to remind users that: “We must reinforce how essential it is that all Salt users correct their systems and follow the instructions that we have provided describing remediation steps and best practices for environmental safety in Salt. “
The company added, “Customers who have followed basic Internet security guidelines and best practices are not affected by this vulnerability.”
DigiCert told us that it is disabling the Certificate Transparency (CT) 2 log server “after determining that the key used to sign the SCTs may have been exposed via critical SALT vulnerabilities.”
“We do not believe that the key was used to sign SCTs outside the normal operation of the CT journal, but as a precaution, the certification authorities who received SCTs from the CT2 journal after May 2 at 5 p.m. US Mountain Daylight Time (MDT) should receive a SCT from another trusted newspaper. “
Three other DigiCert CT newspapers – CT1, Yeti and Nessie – run on different infrastructure and have not been affected, the company said.
“DigiCert has been planning to close CT2 for some time in order to move the industry to our newer, more robust CT newspapers, Yeti and Nessie. We have notified the industry of our intention to end CT2's signature operations on May 1, but we pushed that date was moved, the CT2 journal in read-only mode taking effect on May 3, “added the company. ®
Webcast: Build the Next Generation of Your Business in the Public Cloud