On Friday, January 12, 2018 at 8:33:42 AM UTC-7, Hanno B=C3=B6ck wrote:
> Comodo ITSM (IT Service Management Software) runs an HTTPS server on
> localhost and port 21185. The domain localhost.cmdm.comodo.net pointed
> to localhost.
> It is obvious that with this setup the private key is part of the
> application and thus compromised. With advanced next generation key
> extraction software (strings and grep) I was able to extract the
> private key from the software executable.
> There exist two certificates that use the same key plus two
> precertificates. Only one of the certificates is still valid, the other
> is expired. List:
> I reported this to Comodo earlier today and the certificate got revoked
> very quickly. It was pointed out to me that Comodo ITSM was developed
> by Comodo Security Solutions and that Comodo CA played no part in the
> development of that software.
> Hanno B=C3=B6ck
> mail/jabber: firstname.lastname@example.org
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Can you request a CVE for this? Thanks.