Certificate trust vulnerability in Websense Content Gateway

[Steve Shockley <steve.shockley () shockley net>]

SUMMARY
Websense Content Gateway proxy explicitly trusts compromised certificate 
authorities

Affected versions: Content Gateway 7.8.x
Not affected: Content Gateway 7.7.x, 8.0

DESCRIPTION
Websense Content Gateway is a filtering web proxy and content inspection 
application based on a modified Inktomi/Apache Traffic Server.  To 
enable inspection and filtering of encrypted traffic, the application 
uses an internal certificate authority and decrypts and re-encrypts 
traffic passing through the device.  Content Gateway maintains its own 
list of trusted certificate authorities, since all HTTPS traffic 
accessed via Content Gateway will appear to be signed by the Content 
Gateway CA.

Websense updates the list of trusted certificate authorities with each 
new major version (7.7.0, 7.8.0, etc.).  It appears new trusted 
certificates were imported from the Mozilla/NSS CA store for 7.8.0, but 
the "deny trust" flag was set incorrectly.  Therefore, the status of 
compromised certificates (DigiNotar, UTN-USERFirst-Hardware, Digisign 
(Enrich)) was imported as "explicitly trusted" instead of "untrusted".

RISK
An attacker with access to these compromised certificates could mount a 
phishing or MITM attack against clients behind a Content Gateway without 
raising suspicions.

RESOLUTION
Websense will not release a patch for this issue.  Users of affected 
systems can upgrade to 8.0, manually delete the compromised trusted 
certificate authorities, or change the status to "Deny".  I have 
provided steps below which update the status in bulk from the OS shell 
(non-appliance).

FIX
You should review and test these steps first, and evaluate if any other 
trusted certificates should be updated or removed.  These steps are not 
supported by Websense, and there is no warranty.

From the shell, execute the following commands.  This script will 
change the "status" column to 1 (deny) for the certificate authorities 
with the listed hashes.  Content Gateway must be stopped, or your 
changes will be overwritten.

sudo service WCG stop
sudo /usr/bin/sqlite3 /opt/WCG/config/new_scip3.db

Paste the following script:
UPDATE cert_issuer
SET status = 0
WHERE issuer_hash IN (
'20533f91_0FFFFFFF',
'46f053f0_0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF',
'84009bc3_0FFFFFFF',
'856583ec_0FFFFFFF',
'aee5f10d_07FFFFFFFFFF',
'b13cc6df_047ECBE9FCA55F7BD09EAE36E10CAE1E',
'b13cc6df_392A434F0E07DF1F8AA305DE34E0C229',
'b13cc6df_3E75CED46B693021218830AE86A82A71',
'b13cc6df_72032105C50C08573D8EA5304EFEE8B0',
'b13cc6df_9239D5348F40D1695A745470E1F23F43',
'b13cc6df_B0B7133ED096F9B56FAE91C874BD3AC0',
'b13cc6df_D7558FDAF5F1105BB213282B707729A3',
'b13cc6df_D8F35F4EB7872B2DAB0692E315382FB0',
'b13cc6df_E9028B9578E415DC1A710A2B88154447',
'b13cc6df_F5C86AF36162F13A64F54F6DC9587C06',
'c692a373_07FFFFFFFFFF',
'cc154c6e_0FFFFFFF',
'cee8e824_0FFFFFFF'
);
.quit

sudo service WCG start


TIMELINE
10/10/2014: Opened case with Websense support
10/30/2014: Websense support claims product does not include compromised 
certificates, and that I added them.  I disagree, and verify that a 
clean install of the product does include them.
11/11/2014: Informed by support that Websense will review the 
certificates for the next release, but will not issue a patch for 
existing systems.
11/19/2014: Attempt to escalate issue via sales instead of support
11/20/2014: Sales says they're checking with product management about a 
patch
1/20/2015: Asked for update on patch
1/21/2015: Informed 8.0 product will include a fix
2/3/2015: Triton 8.0 product released; compromised certificates are no 
longer included at all

Thanks to Websense Product Security for correcting an error in the SQL 
script above.