CSS Snoops Out SCEP Vulnerability
Under the heading Vulnerability Note VU#971035, Certified Security Solutions details what it uncovered as a Simple Certificate Enrollment Protocol (SCEP) security issue. Essentially, SCEP does not strongly authenticate certificate requests, meaning users of SCEP for issuing digital certificates to mobile devices may be subject to a privilege escalation attack. The problemís cause is related to a combination of features, configurations, and use cases that collectively open an avenue of attack. Mobile-device management systems leveraging SCEP to issue certificates for authentication into enterprise systems such as Wi-Fi, VPN, or ActiveSync are the most affected. Certified Security Solutions is working with US-CERT and CERT/CC to facilitate notifications and information disclosure. The US-CERT vulnerability report is viewable at www.kb.cert.org/vuls/id/971035. For more info, visit www.css-security.com/scep.
Want to use this article? Click here for options!
© 2013 Penton Media Inc.
Acceptable Use Policy blog comments powered by Disqus
Most Popular Stories
CTIA Wireless IT & Entertainment 2010
Read the latest from the show...