CVE-2025-66406
📋 TL;DR
Step CA versions before 0.29.0 have an improper authorization check for SSH certificate revocation when using SSHPOP provisioner. This allows unauthorized users to revoke SSH certificates they shouldn't have access to, affecting DevOps teams using Step CA for automated certificate management.
💻 Affected Systems
- Step CA
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could revoke legitimate SSH certificates, causing service disruption and potentially gaining unauthorized access to systems by replacing valid certificates with malicious ones.
Likely Case
Unauthorized revocation of SSH certificates leading to temporary service outages and authentication failures for legitimate users.
If Mitigated
With proper network segmentation and monitoring, impact would be limited to certificate management disruption rather than full system compromise.
🎯 Exploit Status
Exploitation requires access to the Step CA API endpoint with some authentication, but authorization checks are insufficient.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.29.0
Vendor Advisory: https://github.com/smallstep/certificates/security/advisories/GHSA-j7c9-79x7-8hpr
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update Step CA to version 0.29.0 or later. 3. Restart the Step CA service. 4. Verify functionality.
🔧 Temporary Workarounds
Disable SSHPOP Provisioner
allTemporarily disable the SSHPOP provisioner if not essential for operations
Edit Step CA configuration to remove or comment out SSHPOP provisioner settings
Restrict API Access
allImplement network-level restrictions to limit access to Step CA API endpoints
Configure firewall rules to restrict access to Step CA port (typically 443 or 9000)
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Step CA from untrusted networks
- Enable detailed logging and monitoring for certificate revocation events
🔍 How to Verify
Check if Vulnerable:
Check Step CA version and SSHPOP provisioner configuration. If version < 0.29.0 and SSHPOP provisioner is enabled, system is vulnerable.Check Version:
step-ca --versionVerify Fix Applied:
Verify Step CA version is 0.29.0 or later and test SSH certificate revocation with proper authorization checks.📡 Detection & Monitoring
Log Indicators:
- Unexpected SSH certificate revocation events
- Revocation requests from unauthorized sources
- Failed authorization attempts for certificate operations
Network Indicators:
- Unusual traffic patterns to Step CA revocation endpoints
- SSH connection failures following certificate changes
SIEM Query:
source="step-ca" AND (event="certificate_revoked" OR event="ssh_cert_revoked") | stats count by src_ip, user