Accountapprovers, antispam, confirm, emeritus
4,925
edits
Changes
Wording tweak
The first WoSign [https://www.wosign.com/report/wosign_incidents_report_09042016.pdf incident report], produced in response to other issues listed on this page, has a screenshot of a dig query from their validation server. The dig program is part of the bind-utils package, and the output of dig appears to show a bind-utils version of 9.7.3-8.P3.el6. The "el6" shows that this is a version built for Red Hat Enterprise Linux 6. This version of bind-utils was released in [https://rhn.redhat.com/errata/RHBA-2011-1697.html December 2011] and so is very out of date.
The next release of this package for EL6 following the one WoSign are using is bind-utils 9.7.3-8.P3.el6_2.1, which was released [https://rhn.redhat.com/errata/RHBA-2011-1836.html a little later in December 2011]. The most recent version is 9.8.2-0.47.rc1.el6, which was released on the [https://rhn.redhat.com/errata/RHBA-2016-0784.html 10th of May 2016]. There are 19 patched CVEs between the version WoSign is suspected of running and the current version. None of these CVEs are especially severe. However, if this software is in fact that far out of date (nearly five years), it raises questions about the overall patch level of their verification server and even their other infrastructure.
WoSign's [https://cert.webtrust.org/SealFile?seal=2019&file=pdf most recent audit] used the "[http://www.webtrust.org/homepage-documents/item79806.pdf SSL Baseline With Network Security - Version 2.0]" criteria. These criteria integrate two CA/Browser Forum Documents - the SSL BRs and the Network & Certificate Systems Security Requirements.
