CVE-2004-2761, weak hashing algorithm used on intermediary certficate


#1

Hello, all!

I’ve been getting my site ready for PCI compliance and received this feedback from my scanner, which appears to be related to a certificate in the chain used by letsencrypt:

CVSS base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
QID: 6464659
Category: General
CVE ID: CVE-2004-2761 BID : 33065, 11849 Other references { cwe : 310cert : 836068osvdb : 45127, 45106, 45108 }
Threat:
A known CA SSL certificate in the certificate chain has been signed using a weak hashing algorithm.
Impact:
The remote service uses a known CA certificate in the SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g., MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing the attacker to masquerade as the affected service.

Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google’s gradual sunsetting of the SHA-1 cryptographic hash algorithm.
Solution:
Contact the Certificate Authority to have the certificate reissued.
Result:

The following known CA certificates were part of the certificate
chain sent by the remote host, but contain hashes that are considered
to be weak.

|-Subject : O=Digital Signature Trust Co./CN=DST Root CA X3
|-Signature Algorithm : SHA-1 With RSA Encryption
|-Valid From : Sep 30 21:12:19 2000 GMT
|-Valid To : Sep 30 14:01:15 2021 GMT

Is there any way to work around this so a stronger version of the certificate in the chain can be obtained?


#2

Hi @Kelketek,

I think this is the same problem as

In this case, the scanning vendors are misinterpreting the requirements.


#3

That thread also links to an even older thread that seems to be about the same misleading PCI scanning tool!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.