Researchers at Certified Security Solutions, Inc. (CSS), a leading information security company, have uncovered a potentially serious security issue pertaining to the use of the Simple Certificate Enrollment Protocol (SCEP) in conjunction with mobile devices. Organizations that leverage SCEP to issue digital certificates to mobile devices may be subject to a privilege escalation attack.
The problem is not caused by an implementation error in a single product, or by an issue with the SCEP protocol itself, but rather by a combination of features, configurations, and use cases that, together, open up a previously unforeseen avenue of attack. Mobile Device Management (MDM) systems that leverage SCEP to issue certificates for authentication into enterprise systems such as Wi-Fi, VPN, or ActiveSync are among the most critically affected scenarios.
Certified Security Solutions has been working for several weeks with US-CERT and CERT/CC at Carnegie Mellon to facilitate notifications and information disclosure through the proper channels. The official US-CERT vulnerability report can be found here.
“We strongly encourage every organization that uses SCEP or a Mobile Device Management system along with an enterprise Public Key Infrastructure to take a deeper look to see whether they’re affected and at risk,” said Ted Shorter, CSS’ Chief Technology Officer. “We’ve setup an area on our website that takes a deeper dive into explaining the vulnerability, and the steps for enterprises to protect themselves.”
Click here to visit the online informational portal.
Read Gartner’s article on mobile device certificate enrollment vulnerabilities
Download an essay on the SCEP protocol and untrusted devices
About CSS – CSS is an information security company, specializing in identity and access management solutions. The company, headquartered in Cleveland, Ohio, has operations throughout North America. CSS provides enterprise ready software, managed security services, Security as a Service, and consulting services. CSS’ security solutions allow clients to secure and operate in cloud computing platforms, “Bring Your Own Device” initiatives, and the emerging market of the “Internet of Things.” For more information and for a complete list of branch offices, click here to Request Information.