step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)

Summary

An attacker can force a Step CA SCEP provisioner to create certificates without completing certain protocol authorization checks.

Details

SCEP requests carry a message type. On receipt of a SCEP request, Step CA starts processing it by parsing its contents. Message types that were considered valid, but not explicitly supported in Step CA, would result in getting parsed successfully. While processing the parsed SCEP message, authorization logic would be skipped for the non-supported message types.

As a result, the request would be treated as authorized, bypassing the authorization checks normally enforced as part of the SCEP protocol and its implementation in Step CA.

Authorization webhooks and regular CA policies, such as allowed names and restrictions on certificate validity periods, remain in place.

Mitigations

If you are unable to upgrade to v0.30.0 or newer, the attack can be mitigated by (temporarily) disabling or removing SCEP provisioners, or restricting access to SCEP provisioners to trusted clients only.

Fix

In v0.30.0, additional validation was added to SCEP provisioners, so that they reject unsupported message types.

Acknowledgements

This issue was identified and reported by Prasanth Sundararajan.

Embargo List

If your organization runs Step CA in production and would like advance, embargoed notification of future security updates, visit https://u.step.sm/disclosure to request inclusion on our embargo list.

Stay safe, and thank you for helping us keep the ecosystem secure.

If you have urgent questions, please contact security@smallstep.com.