Skip to the content.

DIVD-2022-00013 - The curious case of the odd update.microsoft.com certificates

Our reference DIVD-2022-00013
Case lead Jan Los
Author
Researcher(s)
CVE(s)
  • n/a
Products
  • n/a
Versions
  • n/a
Recommendation If you get a notification about this, we recommend to investigate why this certificate is being served and take appropriate action.
Status Closed
Last modified 08 Dec 2022 16:28

Summary

In August 2022, during his investigation into exposed LDAP servers, DIVD researcher Jan Los notices that secure LDAP servers (too) often use a certificate with the subject www.update.microsoft.com. Using Shodan and the query ssl:"www.update.microsoft.com it is dermined that at that point in time:

A second investigation on 27 Feb 2022 reveils that:

Of the servers that have the 1073570f79136511ba45b44c923a55c69b97e91d3aaa2e06e5e657129ca809ff fingerprint we kown the following:

The certificate for www.update.microsoft.com, signed by the Microsoft Update CA has been the issue of security troubles in the past, given this tweet from Mikko and on 18 June 2012 Microsoft had to regenerate the entire certificate chain, accoording to this article by Eric Romang.

On the 21st of October, after a call for help into the Dutch o-irt-o community, we receive a possible explanation for this data.

We have seen this before and this is not as exciting as it seems. Back then this appeared to be NorthGhost/TouchVPN, which is corroborated by most hosts having port 1194/tcp open. It seems to be that these hosts use this certificate to avoid being blocked by content filtering. In our investigation, the hosts did not actually have the certificate themselves, but seemed to be forwarding/SRC-NATing the handhake to a valid Microsoft server.

We have checked this with our data and our data seems to match with this explanation.

Conclusion

Our suspicioun that these certificates belonged to a criminal infrastructure was disproven. The found servers seem to be part of the TouchVPN service. These servers employ a trick to avoid being blocked by content filtering solutions.

TouchVPNs trick might be a bit doubious, but because the TLS handshake they offer results in an invalid chain because the chain has expired, the security risk is limited.

This trick may result in TouchVPn being able to bypass certain content filtering devices, if those devices do not block invalid certificate chains.

What we are doing

No futher action required.

What you can do

For now, there is not much you can do.

Timeline

Date Description
05 Feb 2022 Certificates discovered for first time
24 Aug 2022 Case is referred to the ethics committee to see if it fits into the CoC
19 Sep 2022 Ethics committee, rules that case is within CoC
28 Sep 2022 Ethics committee is asked to reassess the case
05 Oct 2022 Ethics comittee explains earlier verdict, case is a go
21 Oct 2022 Got a hint from the community
23 Oct 2022 Case file published
23 Oct 2022 Case closed
gantt title DIVD-2022-00013 - The curious case of the odd update.microsoft.com certificates dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00013 - The curious case of the odd update.microsoft.com certificates (260 days) :2022-02-05, 2022-10-23 section Events Certificates discovered for first time : milestone, 2022-02-05, 0d Case is referred to the ethics committee to see if it fits into the CoC : milestone, 2022-08-24, 0d Ethics committee, rules that case is within CoC : milestone, 2022-09-19, 0d Ethics committee is asked to reassess the case : milestone, 2022-09-28, 0d Ethics comittee explains earlier verdict, case is a go : milestone, 2022-10-05, 0d Got a hint from the community : milestone, 2022-10-21, 0d Case file published : milestone, 2022-10-23, 0d Case closed : milestone, 2022-10-23, 0d

More information