CVE-2020-28942

Name of the Vulnerable Software and Affected Versions PrimeKey EJBCA versions prior to 7.4.3

Description An issue exists when enrolling with EST while proxied through an RA over the Peers protocol, allowing enrollment with a valid client certificate through any functioning and authenticated RA connected to the CA, bypassing the restriction of client certificates to a limited set of allowed CAs. This affects the domain security model, where the peer connector's restrictions do not apply as intended for EST implementations, unlike other protocols such as CMP. An attacker must already have a trusted client certificate and authorization to enroll against the targeted CA.

Recommendations For PrimeKey EJBCA versions prior to 7.4.3, update to version 7.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the EST implementation until the update can be applied. Additionally, review and reinforce the authorization and authentication processes for RAs connected to the CA to minimize the risk of exploitation.