Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests
View the entire report here: Vulnerability Note VU#971035
Organizations that use Simple Certificate Enrollment Protocol (SCEP) for mobile devices may have an increased security risk. Through our experience with Public Key Infrastructure (PKI) and Mobile Device Management (MDM) software in enterprise clients we have uncovered a security vulnerability. Mobile devices that are issued digital certificates by SCEP may be susceptible to a Privilege Escalation Attack.
To learn more about how the exploit works please watch the video and read the white paper below.
Security Vulnerability- The Use of the Simple Certificate Enrollment Protocol (SCEP) and Untrusted Devices
It’s been in the works for quite some time, but we are finally able to publicly announce a problem that we’ve encountered, related to the use of the Simple Certificate Enrollment Protocol, or SCEP, in conjunction with mobile devices. We’ve been working for months behind the scenes with the folks at the United States Computer Emergency Readiness Team (US-CERT) and CERT/CC at Carnegie Mellon our customers, and a number of vendors as well, to help raise awareness of the issue. The CERT report can be found here, and we have a whitepaper and video overview to provide more information.
It should be noted that not all MDM usage of SCEP is equally vulnerable. The scenarios that cause the most concern to us are those that involve the use of SCEP to issue authentication certificates to enterprise systems such as ActiveSync, WiFi, and VPN. In some cases it may be possible to use alternative configurations that reduce or eliminate these risks; in others, it may be more difficult. CSS is willing to help customers assess their specific usage of SCEP and PKI to determine their degree of exposure.
Additionally, we have built a SCEP Validation engine into our certificate lifecycle management product that solves this issue in a very elegant fashion. We are making this engine available for license by interested third parties as well.