Vaion-260: vcore gateway certificates revoked

Release Date

4th March 2020.

Overview

A bug in Let's Encrypt's validation of domain ownership meant that some number of certificates issued to vCores have been revoked for some customers. See https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591 for the original issue.

Affected Products

• vcore: All versions using vCloud Gateway.

Unaffected Products

• vcam: All versions.
• vcloud: All versions.

Resolution

The affected certificates will be renewed automatically before the 30th of April 2020. This certificate can also be renewed manually (see mitigations).

Vulnerability Information

As certificates have been revoked, customers using the vCloud gateway feature may see a "certificate revoked" warning when browsing to their vCore through their browser. An attacker could take advantage of this warning to man-in-the-middle the vCore and intercept sessions without the end user being aware as the correct certificate is also invalid.

• CVSSv3 score: 5.3 Medium
• CVSSv3.1 vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:W/RC:C

Mitigations

Certificates can be renewed manually with the following process

• Go to the "Servers" tab
• Select the "Cloud" popup
• Disable remote access
• Select the server
• On the right hand side, press "View Certificates"
• Find "Vaion Cloud Certificate", and press the 3 dots, and then "Delete"
• Return to the "Cloud" popup and re-enable remote access
• A new certificate will be provisioned within 10 minutes.

Acknowledgements

Issue reported by LetsEncrypt.

Disclosure Timeline

• 29/02/2020 Vulnerability confirmed by LetsEncrypt
• 03/03/2020 Affected customers identified
• 03/03/2020 Workaround identified
• 04/03/2020 Vulnerability disclosed