---
Introduction
TLS (Transport Layer Security) is supposed to keep your online data private—whether you’re shopping, chatting, or simply visiting a website. But what if someone could sneak through the cracks in your security? That’s exactly what can happen if your system trusts the wrong certificates. Today, we’re breaking down CVE-2023-40104, a critical vulnerability in ca-certificates that lets attackers do just that.
Let’s see what’s going on, how the exploit works, and what you can do to protect yourself.
What is ca-certificates?
The ca-certificates package is a bundle of trusted root certificates. Your browser, OS, and many apps use these to check if encrypted connections (TLS/SSL) are really secure and trusted. If a bad or untrusted certificate sneaks in here, all bets are off—you might accept fake secure connections without realizing it.
According to the NVD entry for CVE-2023-40104
> In ca-certificates, there is a possible way to read encrypted TLS data due to untrusted cryptographic certificates. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
In simple terms: your system might mistakenly trust a certificate it shouldn’t. With that, an attacker can intercept and decrypt your “secure” traffic—what’s called a Man-in-the-Middle attack—without needing to trick you into running anything, or even interact with you at all.
How the Exploit Works (Step By Step)
Let’s walk through a possible attack scenario. Imagine Alice wants to visit her bank’s website.
Attacker Inserts a Bad Certificate
The attacker somehow adds a rogue or malicious certificate into Alice’s system’s ca-certificates store.
Victim Connects to Secure Site
Alice’s browser tries to connect to her bank over HTTPS. The attacker is sitting on her network (say, at a coffee shop WiFi router).
Attacker Performs TLS Interception
The attacker intercepts the connection, and responds with a fake certificate—signed with the bad certificate that Alice’s system now trusts.
Alice’s System Trusts the Connection
Her browser/application sees that the certificate is “trusted” (because it’s in the ca-certificates bundle), and doesn’t warn her.
The attacker can now read, and even modify, all the encrypted data sent and received by Alice.
No special permissions or user actions required. That’s what makes the problem so serious.
Example Exploit: Proof of Concept Code
Here’s Python code using mitmproxy (an open-source man-in-the-middle tool) to illustrate the basic attack flow:
# This script won't work out of the box -- it's for demonstration.
# It shows the basic steps of using a bad CA cert to intercept traffic.
from mitmproxy import options
from mitmproxy.tools.dump import DumpMaster
def run_mitm_with_bad_ca():
opts = options.Options(
listen_host='...',
listen_port=808,
ssl_insecure=True, # Accept connections even with invalid cert
certs=['bad-ca-cert.pem'] # The malicious CA certificate
)
m = DumpMaster(opts)
try:
m.run()
except KeyboardInterrupt:
m.shutdown()
if __name__ == "__main__":
run_mitm_with_bad_ca()
Note: If the victim's ca-certificates includes bad-ca-cert.pem as trusted, all intercepted HTTPS traffic is revealed.
Update ca-certificates:
Always keep this package up to date! (On Debian/Ubuntu, run sudo apt update && sudo apt upgrade ca-certificates.)
Monitor Your Certificate Store:
Periodically check /etc/ssl/certs/ca-certificates.crt on Linux or use OS tools to see what’s trusted.
References
- NVD entry for CVE-2023-40104
- Ubuntu Security Notice USN-6336-1
- mitmproxy documentation
In Conclusion
CVE-2023-40104 shows us how a simple mistake with certificates opens the door for attackers to view what should be private. Tools like ca-certificates are massively important for our security—but only if they’re kept clean and current. Always update, stay alert to security notices, and don’t just trust any certificate you find online!
This will help keep your “secure” connections truly secure.
Timeline
Published on: 02/15/2024 23:15:08 UTC
Last modified on: 08/01/2024 13:44:27 UTC