Hello: Thank you for alerting us. The issuer HydrantID has communicated with the certificate holder Cisco, and the certificate has been revoked.
Kind regards, Stephen Davidson QuoVadis ________________________________________ From: dev-security-policy [dev-security-policy-bounces+s.davidson=quovadisglobal....@lists.mozilla.org] on behalf of Koen Rouwhorst via dev-security-policy [[email protected]] Sent: Sunday, June 18, 2017 6:18 AM To: Nick Lamb via dev-security-policy Subject: Private key corresponding to public key in trusted Cisco certificate embedded in executable Hi all, Last weekend, in an attempt to get Sky's NOW TV video player (for Mac) to work on my machine, I noticed that one of the Cisco executables contains a private key that is associated with the public key in a trusted certificate for a cisco.com <http://cisco.com/> sub domain (drmlocal.cisco.com <http://drmlocal.cisco.com/>). This certificate is used in a local WebSocket server, presumably to allow secure Sky/NOW TV origins to communicate with the video player on the users' local machines. I read the Baseline Requirements document (version 1.4.5, section 4.9.1.1), but I wasn't entirely sure whether this is considered a key compromise. I asked Hanno Böck on Twitter (https://twitter.com/koenrh/status/873869275529957376 <https://twitter.com/koenrh/status/873869275529957376>), and he advised me to post the matter to this mailing list. The executable containing the private key is named 'CiscoVideoGuardMonitor', and is shipped as part of the NOW TV video player. In case you are interested, the installer can be found at https://web.static.nowtv.com/watch/NowTVPlayerInstaller.pkg <https://web.static.nowtv.com/watch/NowTVPlayerInstaller.pkg> (SHA-256: 56feeef4c3d141562900f9f0339b120d4db07ae2777cc73a31e3b830022241e6). I would recommend to run this installer in a virtual machine, because it drops files all over the place, and installs a few launch items (agents/daemons). The executable 'CiscoVideoGuardMonitor' can be found at '$HOME/Library/Cisco/VideoGuardPlayer/VideoGuardMonitor/VideoGuardMonitor.bundle/Contents/MacOS/CiscoVideoGuardMonitor'. Certificate details: Serial number: 66170CE2EC8B7D88B4E2EB732E738FE3A67CF672 DNS names: drmlocal.cisco.com <http://drmlocal.cisco.com/> Issued by: HydrantID SSL ICA G2 Leaf certificate + HydrantID intermediate: https://gist.github.com/koenrh/bf2a7eee03c9100be37d30b92760f5ab#file-certificates-pem <https://gist.github.com/koenrh/bf2a7eee03c9100be37d30b92760f5ab#file-certificates-pem> As proof, I have published a verification message in a GitHub Gist, and signed the message using the compromised private key. See: https://gist.github.com/koenrh/bf2a7eee03c9100be37d30b92760f5ab#file-message-txt <https://gist.github.com/koenrh/bf2a7eee03c9100be37d30b92760f5ab#file-message-txt> (verify using: 'openssl dgst -sha256 -verify public-key.pem -signature message.txt.sig message.txt') If this is indeed considered a key compromise, where do I go from here, and what are the recommended steps to take? Do I need to contact the subscriber (Cisco), and ask them to send a revocation request for this certificate to the issuer? Or do I need to notify the issuer (HydrantID), and ask them to revoke this certificate? Thanks. Best regards, Koen Rouwhorst _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
