VAION-260: vcore gateway certificates revoked
4th March 2020.
A bug in Let�s Encrypt�s validation of domain ownership meant that some number of certificates issued to vCores have been revoked for some customers.
See https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591 for the original issue.
- vcore: All versions using vCloud Gateway.
- vcam: All versions.
- vcloud: All versions.
The affected certificates will be renewed automatically before the 30th of April 2020. This certificate can also be renewed manually (see mitigations).
As certificates have been revoked, customers using the vCloud gateway feature may see a �certificate revoked� warning when browsing to their vCore through their browser. An attacker could take advantage of this warning to man-in-the-middle the vCore and intercept sessions without the end user being aware as the correct certificate is also invalid.
- CVSSv3 score: 5.3 Medium
- CVSSv3.1 vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:W/RC:C
Certificates can be renewed manually with the following process
- Go to the �Servers� tab
- Select the �Cloud� popup
- Disable remote access
- Select the server
- On the right hand side, press �View Certificates�
- Find �Vaion Cloud Certificate�, and press the 3 dots, and then �Delete�
- Return to the �Cloud� popup and re-enable remote access
- A new certificate will be provisioned within 10 minutes.
Issue reported by LetsEncrypt.
- 29/02/2020 Vulnerability confirmed by LetsEncrypt
- 03/03/2020 Affected customers identified
- 03/03/2020 Workaround identified
- 04/03/2020 Vulnerability disclosed