A domain control validation (DCV) vulnerability has resulted in SSL.com wrongly issuing nearly a dozen digital certificates for seven legitimate domains.
The bug was discovered and reported by a researcher who abused it to obtain a fraudulent certificate for aliyun.com, the official website for Alibaba Cloud, one of the largest cloud companies.
“SSL.com failed to conduct accurate domain validation control when utilizing the BR 3.2.2.4.14 DCV method (Email to DNS TXT Contact). It incorrectly marks the hostname of the approver’s email address as a verified domain, which is completely erroneous,” the researcher noted in a bug report.
To obtain the fake certificate, the researcher created a ‘_validation-contactemail’ DNS TXT record for a test domain using an @aliyun.com email address, then requested a certificate from SSL.com for the domain, selecting their email address from the email approvers list.
After the researcher finalized the DCV validation process using the DCV random value sent to the specified email address, SSL.com added aliyun.com to the researcher’s list of verified domains, allowing them to obtain certificates for aliyun.com and www.aliyun.com.
“I’m not administrator, admin, hostmaster, postmaster, or webmaster of aliyun.com. And also, _validation-contactemail with the value of my email is never configured for aliyun.com,” the researcher notes.
SSL.com responded to the bug report, immediately disabling the domain validation method used by the researcher. On Monday, it revealed that the incorrect implementation of the DCV method resulted in certificates being wrongly issued for the hostname of the approver’s email address.
“The certificate has already been revoked, the relevant DCV record has been invalidated and the DCV method has been disabled until remediation of the issue. After scanning the entire corpus of certificates issued with the above method, we identified ten (10) additional affected certificates that were mis-issued and have now been revoked,” SSL.com said.
Starting June 2024, in addition to aliyun.com, certificates were misissued for *.medinet.ca, help.gurusoft.com.sg, banners.betvictor.com, production-boomi.3day.com, kisales.com, and medc.kisales.com.
“During our investigation we determined that this did not affect the systems and APIs used by Entrust. SSL.com will maintain transparency with the community as we continue our investigation and will provide more information as we complete our root cause analysis,” SSL.com said.
Related: Internet Giants Agree to Reduce TLS Certificate Lifespan to 47 Days by 2029
Related: New Issuance Requirements Improve HTTPS Certificate Validation
Related: DigiCert Revoking 83,000 Certificates of 6,800 Customers
Related: Chinese Cyberespionage Group ‘Billbug’ Targets Certificate Authority