CLEVELAND, OH – August 16, 2012. Certified Security Solutions (CSS) is making its SCEP Validation Service™ – a solution that prevents the attack described in US-CERT vulnerability report VU#970135 – available for integration and OEM license by interested third parties. Until now, this software has only been available as a part of CSS’ Mobile Certificate Management System (mCMS) product.
While the Simple Certificate Enrollment Protocol (SCEP) has been in use for several years, many Mobile Device Management (MDM) systems now deliver SCEP One-Time-Passwords directly to the devices they manage, which exposes them to misuse by attackers and can lead to certificates with fraudulent content, and potential privilege escalation attacks. Visit this informational portal online to learn more about the vulnerability: www.css-security.com/scep.
CSS’ patent-pending solution to the SCEP vulnerability includes a plug-in Policy Module to the Microsoft CA which blocks any manipulation of SCEP-based certificate request data, and allows customers to retain the benefits of on-device private key generation, while preventing the security problems associated with sending SCEP passwords outside of an organization’s trusted network.
“We’ve realized that the need for Validated SCEP™ transcends the certificate issuance and management space that our products focus on, into areas such as MDM,” says Kevin von Keyserling, CSS’ Chief Executive Officer. “It doesn’t do our customers any good if they shore up a vulnerability with our mCMS product, only to re-open it when they install another piece of software. Our hope is that others can make use of this technology so that our collective customer base can be more secure.”
Visit the Validated SCEP resource center for more information: http://www.css-security.com/vscep/
CSS is an information security services company with operations throughout North America and headquartered in Cleveland, Ohio. We specialize in three critical areas of information security: identity & access management, secure infrastructure & governance, and risk & compliance. CSS provides consulting services, managed security services, security as a service and security software tools in order to meet our clients’ needs. For more information and for a complete list of branch offices, visit www.css-security.com or email firstname.lastname@example.org