Godaddy LLC first became aware of possible ROCA vulnerability exposure on Monday October 16th 2017 at 9:30am. The following are the steps we took for detection, revocation, and the permanent fix of certificate provisioning:
• Monday October 16th 2017 AZ, first became aware of the ROCA vulnerability. We downloaded and modified the open source detection tool to audit 100% of the non-revoked and non-expired certs we had issued. • Early am Wednesday October 18th AZ we had our complete list of 7 certs with the ROCA defect. We verified the results and proceeded to start the revocation process. While cert revocation was in progress we started researching the long-term detection and prevention of the weak CSR vulnerability. • Early am Wednesday October 18th Rob Stradling released a list of certs with the vulnerability. 2/7 we revoked were on the list. https://misissued.com/batch/28/ • Thursday October 19th by 2:02am AZ, we completed the 7 cert revocations. Revocations included customer outreach to advise the customer of the vulnerability. • Thursday October 19th AZ, two CSRs were submitted for commonNames “scada2.emsglobal.net” & “scada.emsglobal.net” and were issued. Each request had used the vulnerable keys for CSR generation. We revoked the certs again on Thursday October 19th AZ. During this period, we reached out to the customer to educate them regarding the vulnerability and informing them they needed to generate a new keypair from an unimpacted device. Customer was unreachable. Friday October 20thAZ, another cert was issued for commonName “scada.emsglobal.net” using a CSR generated with a weak key. We then took measures to prevent future certs from being issued to the same common name and revoked the cert on October 20th 2017 AZ. commonName crt.sh-link scada.emsglobal.net https://crt.sh/?id=3084867 scada.emsglobal.net https://crt.sh/?id=238721704 scada.emsglobal.net https://crt.sh/?id=238721807 scada2.emsglobal.net https://crt.sh/?id=238720969 scada2.emsglobal.net https://crt.sh/?id=238721559 • Saturday October 21st 2017 AZ & Sunday October 22nd 2017 AZ, we scanned our cert store and identified 0 vulnerable certs. • Monday October 23, 2017 AZ, we have deployed a permanent fix to prevent future CSRs generated using weak keys from being submitted. Post scanning of the environment concluded 0 certificates at risk. Below is a complete list of certs under GoDaddy management impacted by this vulnerability. Alias crt.sh-link alarms.realtimeautomation.net https://crt.sh/?id=33966207 scada.emsglobal.net https://crt.sh/?id=3084867 https://crt.sh/?id=238721704 https://crt.sh/?id=238721807 www.essicorp-scada.com https://crt.sh/?id=238720405 marlboro.bonavistaenergy.com https://crt.sh/?id=238720743 scada2.emsglobal.net https://crt.sh/?id=238720969 https://crt.sh/?id=238721559 www.jointboardclearscada.com https://crt.sh/?id=238721242 *.forgenergy.com https://crt.sh/?id=238721435 Regards, Daymion Reynolds GoDaddy PKI _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
