Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.
Step-CA versions up to and including 0.30.0-rc6 do not enforce authentication when handling SCEP UpdateReq requests. An attacker can send a crafted UpdateReq request to the publicly accessible SCEP endpoint without providing any credentials. The system does not verify the identity of the sender, which classifies the vulnerability as an authentication error (CWE-287) and improper certificate verification (CWE-295). As a result, the certificate authority issues a valid certificate to an untrusted entity.
An attacker without any permissions can remotely obtain valid PKI certificates issued by a trusted certificate authority, which may lead to impersonation of other systems, network traffic interception (man-in-the-middle attacks), and compromise of integrity and confidentiality of certificate-based infrastructure.
Smallstep Step-CA should be updated to version 0.30.0 (or at least 0.30.0-rc7) where the issue has been fixed. Patches are available in the project's GitHub repository and in official release notes.
Smallstep Step-CA versions 0.30.0-rc6 and earlier using SCEP protocol
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:NSmallstep Step Ca
APPSmallstep0.30.0< 0.30.0