CVE-2022-21672

Name of the Vulnerable Software and Affected Versions make-ca versions 0.9 through 1.10

Description make-ca is a utility to deliver and manage a complete PKI configuration for workstations and servers. Starting with version 0.9 and prior to version 1.10, make-ca misinterprets Mozilla certdata.txt and treats explicitly untrusted certificates like trusted ones, causing those explicitly untrusted certificates to be trusted by the system. The explicitly untrusted certificates were used by some CAs that have already been hacked. Hostile attackers may perform a MIM attack exploiting them.

Recommendations For make-ca versions 0.9 through 1.10, upgrade to make-ca-1.10 and run make-ca -f -g as the root user to regenerate the trusted store immediately. As a temporary workaround, users may delete the untrusted certificates from /etc/pki/tls and /etc/ssl/certs manually (or by a script), but this is not recommended because the manual changes will be overwritten next time make-ca is run to update the trusted anchor.