CVE-2021-40088 : Security Advisory and Response

This CVE-2021-40088 article provides details about a security issue in PrimeKey EJBCA before version 7.6.0 that could allow a tenant to revoke a certificate belonging to another tenant.

Understanding CVE-2021-40088

This section will cover the background and impact of CVE-2021-40088.

What is CVE-2021-40088?

PrimeKey EJBCA before 7.6.0 allows configuring CMP RA Mode to authenticate enrolling clients using a known client certificate. The same RA client certificate is used for revocation requests, enabling a known tenant to revoke another tenant's certificate.

The Impact of CVE-2021-40088

The lack of tenant verification during revocation operations poses a security risk, allowing unauthorized certificate revocation by tenants.

Technical Details of CVE-2021-40088

Explore the technical aspects involved in CVE-2021-40088.

Vulnerability Description

The vulnerability in PrimeKey EJBCA before 7.6.0 originates from the missing tenant verification during certificate revocation, leading to potential misuse by tenants.

Affected Systems and Versions

Affected Product: PrimeKey EJBCA
Affected Version: Before 7.6.0

Exploitation Mechanism

The issue arises due to the lack of multi-tenancy constraints enforcement during certificate revocation, enabling unauthorized revocation actions.

Mitigation and Prevention

Learn how to mitigate the risks associated with CVE-2021-40088.

Immediate Steps to Take

Upgrade PrimeKey EJBCA to version 7.6.0 or newer.
Revoke and reissue certificates if unauthorized revocations are suspected.
Implement strict access controls for RA client certificates.

Long-Term Security Practices

Regularly audit and monitor certificate revocation requests for anomalies.
Educate users about secure certificate management practices and tenant responsibilities.

Patching and Updates

Ensure timely patching and updates to the PrimeKey EJBCA system to address the vulnerability.