OpenSSL Patches Forgery Flaw
Monday, July 13, 2015 @ 02:07 PM gHale
OpenSSL developers released new versions to address a high severity vulnerability attackers could leverage to issue invalid certificates.
The new versions, 1.0.2d and 1.0.1p, were the result of an issue described by OpenSSL as an alternative chain certificate forgery flaw (CVE-2015-1793).
The vulnerability came out when OpenSSL versions 1.0.1n and 1.0.2b released last month.
The vulnerability falls in line with the certificate verification process, said in an advisory. If the first attempt to build a certificate chain fails, OpenSSL will try to identify an alternative chain.
“An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and ‘issue’ an invalid certificate,” the OpenSSL Project team explained. “This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.”
The vulnerability came to the developers of the SSL/TLS toolkit on June 24 from Google’s Adam Langley and David Benjamin, who both work on BoringSSL, the search giant’s own version of OpenSSL. OpenSSL developers said the fix for CVE-2015-1793 came from members of the BoringSSL project.
This bug affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. It does not impact the 1.0.0 or 0.9.8 releases, OpenSSL said. Users of OpenSSL 1.0.2b and 1.0.2c should upgrade their installations to version 1.0.2d, while OpenSSL 1.0.1n and 1.0.1o users should upgrade to version 1.0.1p.