Reference Name: Intermediate Entitlement Server Private Key
Status: SAS fixes available
3-26-2018 – Acknowledgement, with fixes
Administrators can download arbitrary code if they connect to a fraudulent SAS® Entitlement Server.
An internal assessment discovered that a subset of SAS Viya orders contained an intermediate Certification Authority private key that was previously used to access the SAS Entitlement Server, which is used to download SAS software. This key could allow an administrator who has connected to a fraudulent server to believe it is the valid SAS Entitlement Server and to download invalid packages.
SAS packages are code signed, which provides a mitigation that significantly reduces the risk of this issue. In Linux installations, code signing is enforced by default and any code that is not signed with a separate key that is controlled by SAS fails to install. If an attacker tries to impersonate the SAS Entitlement Server and delivers invalid packages to a client, the packages fail to install because they would not be signed correctly. In Microsoft Windows installations, the code-signing policy is configurable by the end user rather than by the SAS installation. Packages that are not signed correctly would fail to be installed if the Windows code-signing policy is configured to fail invalid signatures.
To address this issue, the SAS Entitlement Server certificate chain has been replaced, and all private keys have been protected with hardware-security modules.
New customers will receive a Software Order Email (SOE) with the new certificate chain for connecting to the SAS Entitlement Server. Existing customers will receive the new certificate chain and a cross-signed certificate that will be used to automatically convert them to the new certificate chain the next time that they perform an update.
To verify that any downloaded code has been signed by SAS, see SAS Note 62013.
March 26, 2018
For Linux Installations, update the sas-meta-repo package using YUM to automatically delete the old certificate. Here is an example:
>sudo yum update "sas-meta-repo-*"
For Windows Installations, run the following command using an administrator command prompt to remove the old certificate:
>certutil -delstore Root f4838a25c465839f8644484a5a09fa601ef284e8
These commands connect to a valid SAS server and download the latest certificate update.