NetNanny Found Using Shared Private Key, Root CA

An issue with the content-control software NetNanny could open users’ systems up to man-in-the-middle (MiTM) attacks, HTTPS spoofing and intercept, researchers warned Monday.

An issue with the content-control software NetNanny could open users’ systems up to man-in-the-middle (MiTM) attacks, HTTPS spoofing and intercept, researchers warned Monday.

First released in 1995, the internet filtering service is primarily used by parents to control their children’s online activity.

According to a warning on CERT’s Vulnerability Notes Database yesterday however, the service is “broadly vulnerable” to HTTPS spoofing since it uses a shared private key and root certificate authority.

“The certificate used by NetNanny is shared among all installations of NetNanny,” Garret Wassermann, a vulnerability analyst at CERT wrote, “Furthermore, the private key used to generate the certificate is also shared and may be obtained in plaintext directly from the software.”

This means that an attacker could generate new certificates signed by the service, which would by extension, appear trustworthy. In turn, since browser certificate warnings wouldn’t get triggered by the certs, users could get tricked into thinking they were visiting a safe, HTTPS site when in actuality its certificate could be spoofed.

While CERT suggests other versions may also be vulnerable, version 7.2.4.2 is the build it warned was affected on Monday.

CERT/CC is recommending users flat out uninstall NetNanny to remove any bogus certificates it could have created or to disable SSL filtering and manually remove certificates from there.

Emails to NetNanny’s developing company ContentWatch Inc. inquiring whether the company was working on a fix for the issue went unanswered on Tuesday.

Suggested articles

Newsmaker Interview: Scott Helme on Securing the Web

Threatpost sat down with Helme to discuss the state of web security, including certificate transparency, HTTPS deployment, Let’s Encrypt, content security policy and HTTP strict transport security.

Discussion

  • Stephen Ames on

    I'm sure there is more of this out there.
  • Clayton Ostler on

    My name is Clayton Ostler, I am the Sr. Director of Technology for ContentWatch the makers of Net Nanny. I am pleased to let you know that we have resolved this vulnerability. Below is the official company statement with info on what was fixed. ContentWatch was recently alerted to a potential security vulnerability related to Net Nanny's implementation of SSL/HTTPS content filtering. Although there have been no known exploits, ContentWatch took immediate action to resolve these issues in the Net Nanny product. Two issues were identified, the first was that Net Nanny was using the same root Certificate Authority (CA) and Private Key (PK) across all installations of the product. The second was that Net Nanny was storing the Private Key in memory in a way that it could be captured and potentially exploited by a malicious program or process. A detailed description of the issues can be found at http://www.kb.cert.org/vuls/id/260780. ContentWatch takes security very seriously and has resolved these issues with the release of Net Nanny for Windows v7.2.5.1. Specifically, the following technical changes were made to the SSL filtering implementation: • The SSL filtering setup process now generates a unique root CA/PK for each installation of Net Nanny. • Implemented more secure method calls for dealing with secure data in memory. This mitigates the risk of potential capture of the Private Key from memory. • The Private Key is now encrypted using strong RSA encryption and is stored in the local database, which is also encrypted. These changes are included in Net Nanny for Windows v7.2.5.1. Existing installations of Net Nanny for Windows can receive this new version via the update mechanism in the product. Those wishing to download this version immediately can do so here http://www.netnanny.com/downloads/ If you have any questions or concerns, please contact us at support@contentwatch.com.
07/23/18 2:00
Chinese actors attempted to launch a cyberespionage campaign via #IoT devices during the #TrumpPutin summit: https://t.co/YFHJYMjZiQ

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.