SAS Statement Regarding SAS® Viya® Orders That Contained An Incorrectly Distributed Intermediate Entitlement Server Private Key

Reference Name: Intermediate Entitlement Server Private Key
Severity: High
Risk: Low
Status
: SAS fixes available


History

3-26-2018 – Acknowledgement, with fixes

Potential Impact

Administrators can download arbitrary code if they connect to a fraudulent SAS® Entitlement Server.

Description

An internal assessment discovered that a subset of SAS Viya orders contained an intermediate Certification Authority private key that was previously used to access the SAS Entitlement Server, which is used to download SAS software. This key could allow an administrator who has connected to a fraudulent server to believe it is the valid SAS Entitlement Server and to download invalid packages. 

SAS packages are code signed, which provides a mitigation that significantly reduces the risk of this issue. In Linux installations, code signing is enforced by default and any code that is not signed with a separate key that is controlled by SAS fails to install. If an attacker tries to impersonate the SAS Entitlement Server and delivers invalid packages to a client, the packages fail to install because they would not be signed correctly. In Microsoft Windows installations, the code-signing policy is configurable by the end user rather than by the SAS installation. Packages that are not signed correctly would fail to be installed if the Windows code-signing policy is configured to fail invalid signatures. 

To address this issue, the SAS Entitlement Server certificate chain has been replaced, and all private keys have been protected with hardware-security modules. 

New customers will receive a Software Order Email (SOE) with the new certificate chain for connecting to the SAS Entitlement Server. Existing customers will receive the new certificate chain and a cross-signed certificate that will be used to automatically convert them to the new certificate chain the next time that they perform an update. 

To verify that any downloaded code has been signed by SAS, see SAS Note 62013

Solution

March 26, 2018

For Linux Installations, update the sas-meta-repo package using YUM to automatically delete the old certificate. Here is an example: 

   >sudo yum update "sas-meta-repo-*"  

For Windows Installations, run the following command using an administrator command prompt to remove the old certificate: 

   >certutil -delstore Root f4838a25c465839f8644484a5a09fa601ef284e8 

These commands connect to a valid SAS server and download the latest certificate update. 

Security Bulletins Icon

Security Bulletins

View other security bulletins, published as part of our formal PSIRT process.

Technical Support Icon

Technical Support

Get world-class technical support via our support track system.

Samples & SAS Notes Icon

Samples & SAS Notes

Search our extensive Knowledge Base for code samples and SAS Notes.

Back to Top