CVE-2022-21672 is a vulnerability affecting the make-ca utility, a tool used to manage and deliver complete Public Key Infrastructure (PKI) configurations for workstations and servers. The affected versions range from 0.9 up to but not including 1.10. The core issue lies in the misinterpretation of Mozilla's certdata.txt file, which is used by make-ca to build the trusted certificate store. Specifically, make-ca incorrectly treats certificates that are explicitly marked as untrusted by Mozilla as trusted certificates. This misclassification means that certificates from Certificate Authorities (CAs) that have been compromised and explicitly distrusted by Mozilla are still trusted by systems using the vulnerable make-ca versions. This flaw stems from CWE-115, which involves misinterpretation of input data, leading to incorrect processing of trust information. The practical consequence of this vulnerability is that attackers who have compromised certain CAs can exploit this trust misconfiguration to perform man-in-the-middle (MITM) attacks. By presenting a certificate from a CA that should be untrusted but is mistakenly trusted, attackers can intercept, decrypt, or manipulate secure communications without detection. This undermines the confidentiality and integrity of communications relying on TLS/SSL certificates managed by make-ca. The recommended remediation is to upgrade make-ca to version 1.10 or later, where this input misinterpretation has been corrected. After upgrading, administrators should immediately regenerate the trusted certificate store by running `make-ca -f -g` as the root user to ensure the trusted anchors are correctly rebuilt. While a temporary workaround involves manually deleting untrusted certificates from system directories such as /etc/pki/tls and /etc/ssl/certs, this is discouraged because these manual changes will be overwritten during subsequent make-ca updates, potentially reintroducing the vulnerability. No known exploits have been reported in the wild as of the publication date, but the potential for MITM attacks remains significant due to the nature of the vulnerability and the critical role of trusted certificates in secure communications.

For European organizations, the impact of CVE-2022-21672 can be substantial, especially for entities relying on make-ca for PKI management in critical infrastructure, government, finance, healthcare, and telecommunications sectors. The vulnerability compromises the trust model of TLS/SSL communications by allowing explicitly untrusted certificates to be accepted as valid. This can lead to undetected interception and manipulation of sensitive data, including personal information, financial transactions, and confidential communications. Given the reliance on secure communications for regulatory compliance (e.g., GDPR, NIS Directive) and the increasing sophistication of cyber threats in Europe, exploitation of this vulnerability could result in data breaches, loss of customer trust, regulatory penalties, and operational disruptions. Additionally, attackers exploiting this flaw could gain footholds for further lateral movement within networks, potentially escalating to broader compromises. The vulnerability affects both workstations and servers, broadening the attack surface. Organizations using make-ca in automated certificate management workflows may inadvertently propagate the trust of compromised certificates across multiple systems, amplifying the risk. Although no active exploits are known, the presence of compromised CAs in the untrusted list underscores the urgency of mitigation to prevent future attacks.

1. Immediate upgrade: Organizations should prioritize upgrading make-ca to version 1.10 or later to ensure the vulnerability is patched. 2. Trusted store regeneration: After upgrading, run `make-ca -f -g` as root to regenerate the trusted certificate store, ensuring untrusted certificates are correctly excluded. 3. Audit certificate stores: Conduct thorough audits of /etc/pki/tls, /etc/ssl/certs, and other relevant directories to verify no untrusted certificates remain. 4. Automate validation: Implement automated checks in certificate management pipelines to detect and flag certificates that are explicitly untrusted by Mozilla or other trusted sources. 5. Monitor network traffic: Deploy network monitoring tools capable of detecting anomalous TLS/SSL traffic patterns indicative of MITM attacks. 6. Restrict make-ca execution: Limit execution of make-ca to trusted administrators and secure environments to prevent unauthorized modifications. 7. Incident response readiness: Prepare incident response plans specifically addressing potential MITM scenarios arising from certificate trust issues. 8. Vendor communication: Engage with vendors and upstream providers to confirm that their PKI management tools are not affected or have been updated accordingly. Avoid relying on manual deletion of untrusted certificates as a long-term solution, since make-ca updates can overwrite these changes, reintroducing the vulnerability.