This website uses cookies. By continuing to browse this website, you accept our use of cookies and our Cookie Policy. Close

Learn, connect, and collaborate at the Cyber Voices Zero Trust Summit. October 27th.

Wednesday, Jul 08, 2015

OpenSSL Update Released for "Alternative chains certificate forgery" Vulnerability

Share

Carl Leonard Principal Security Analyst

<p>
Websense&reg; Security Labs&trade; have, since Monday 6 July, been looking out for details of an anticipated release to the OpenSSL open source toolkit for SSL/TLS.</p>

<p>
Today (9 July 2015) the OpenSSL Project released an update to the popular toolkit detailed in the Security Advisory available here:&nbsp;<a href="https://www.openssl.org/news/secadv_20150709.txt">https://www.openssl.or...

<p>
<img alt="" src="/sites/default/files/blog/legacy/1307.openssl_cve20151793.png-550x0.png" style="height:190px; width:549px" /></p>

<p>
The advisory details an implementation error in the logic around certificate chains.&nbsp; The so-called &quot;Alternative chains certificate forgery&quot; issue permits an attacker to bypass certain checks enabling them to use a valid leaf certificate to act as a CA (Certificate Authority) and generate certificates.</p>

<p>
The issue has been assigned CVE-2015-1793 and is classified as &quot;High&quot; severity.</p>

<p>
If you are using one of the affected versions of OpenSSL (1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o) we encourage you to consider applying the latest version of OpenSSL if applicable to your environment and deployment.&nbsp; The availability details and release notes for OpenSSL v1.0.2d (for example) can be found here:&nbsp;<a href="https://mta.openssl.org/pipermail/openssl-announce/2015-July/000039.html...

<p>
The advance warning of a forthcoming release was made on 6 July 2015.&nbsp; That is archived here:<a href="https://mta.openssl.org/pipermail/openssl-announce/2015-July/000037.html...

<p>
It is recommended that users of OpenSSL, and similar toolkits, adopt a process to monitor for such notifications and build a patch management process suitable for their needs.</p>

About the Author

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...