2033170 - DigiCert: Misissued code signing certificates

Summary

DigiCert disclosed that a threat actor compromised a customer support team member and obtained initialization codes for a limited number of code signing certificates, some of which were used to sign malware. The affected certificates were revoked within 24 hours of discovery and pending orders in the affected window were cancelled. The incident triggered compliance reviews across Mozilla, Microsoft, Apple, Chrome, and CABF root programs.

Full text

Copy Summary▾ Markdown Markdown (bug number) Plain Text HTML View ▾ Reset Sections Expand All Sections Collapse All Sections History JSON XML Open Bug 2033170 Opened 3 days ago Updated 1 day ago DigiCert: Misissued code signing certificates * Summary: DigiCert: Misissued code signing certificates Product: CA Program ▾ Component: CA Certificate Compliance ▾ Version: unspecified Platform: Unspecified Unspecified Type: task Priority: Not set Severity: -- Status: ASSIGNED Status: ASSIGNED --- Mark as Assigned Milestone: --- Project Flags: Accessibility Severity --- Tracking Flags: Tracking Status relnote-firefox --- firefox-esr115 --- --- firefox-esr140 --- --- firefox150 --- --- firefox151 --- --- firefox152 --- --- Assignee: dcbugzillaresponse Assignee: Reset Assignee to default Mentors: --- QA Contact: Reset QA Contact to default Reporter: dcbugzillaresponse Triage Owner: bwilson CC: 3 people Depends on: --- Blocks: --- Regressions: --- Regressed by: --- URL: See Also: --- Alias: --- Keywords: --- Whiteboard: [ca-compliance] [code-signing-misissuance] QA Whiteboard: --- Change Request: --- Bug Flags: behind-pref sec-bounty ? sec-bounty-hof in-qa-testsuite in-testsuite qe-verify Signature: None This bug is publicly visible. Bottom ↓ Tags ▾ Reset Timeline ▾ Reset Collapse All Expand All Comments Only Preliminary Incident Report Summary Incident description: A malware incident targeted a customer support team member. Upon detection, the threat vector was contained. Our subsequent investigation found that the threat actor was able to procure initialization codes for a limited number of code signing certificates, few of which were then used to sign malware. The identified certificates were revoked within 24 hours of discovery and the revocation date set to their date of issuance. As a precautionary measure, pending orders within the window of interest were cancelled. Additional details will be provided in our full incident report. Relevant policies: Microsoft Trusted Root Program Policy Section 2.1.16, Mozilla Root Store Policy Section 2.4, Apple Root Certificate Program Section 3, Chrome Root Program Policy Section 15.1, CCADB Policy Section 1, CABF Code Signing Baseline Requirements Section 4.9.1.1, CABF Network and Certificate System Security Requirements (NetSec) Section 1 and 2. Source of incident disclosure: Third Party incident-reporting Updated • 2 days ago Assignee: nobody → dcbugzillaresponseStatus: UNCONFIRMED → ASSIGNEDEver confirmed: trueWhiteboard: [ca-compliance] [code-signing-misissuance] You need to log in before you can comment on or make changes to this bug. Top ↑

Entities