On Friday, January 12, 2018 at 8:33:42 AM UTC-7, Hanno Böck wrote: > Hi, > > Comodo ITSM (IT Service Management Software) runs an HTTPS server on > localhost and port 21185. The domain localhost.cmdm.comodo.net pointed > to localhost. > > It is obvious that with this setup the private key is part of the > application and thus compromised. With advanced next generation key > extraction software (strings and grep) I was able to extract the > private key from the software executable. > > There exist two certificates that use the same key plus two > precertificates. Only one of the certificates is still valid, the other > is expired. List: > https://crt.sh/?spkisha256=accbb60afe2d28949e21d76f298a2f20c0a24488ad0980ea31b4c0e04b952879 > > I reported this to Comodo earlier today and the certificate got revoked > very quickly. It was pointed out to me that Comodo ITSM was developed > by Comodo Security Solutions and that Comodo CA played no part in the > development of that software. > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Can you request a CVE for this? Thanks. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy