X-Labs
July 8, 2015

OpenSSL Update Released for "Alternative chains certificate forgery" Vulnerability

Carl Leonard Principal Security Analyst

<p>
Websense&reg; Security Labs&trade; have, since Monday 6 July, been looking out for details of an anticipated release to the OpenSSL open source toolkit for SSL/TLS.</p>

<p>
Today (9 July 2015) the OpenSSL Project released an update to the popular toolkit detailed in the Security Advisory available here:&nbsp;<a href="https://www.openssl.org/news/secadv_20150709.txt">https://www.openssl.or...

<p>
<img alt="" src="/sites/default/files/blog/legacy/1307.openssl_cve20151793.png-550x0.png" style="height:190px; width:549px" /></p>

<p>
The advisory details an implementation error in the logic around certificate chains.&nbsp; The so-called &quot;Alternative chains certificate forgery&quot; issue permits an attacker to bypass certain checks enabling them to use a valid leaf certificate to act as a CA (Certificate Authority) and generate certificates.</p>

<p>
The issue has been assigned CVE-2015-1793 and is classified as &quot;High&quot; severity.</p>

<p>
If you are using one of the affected versions of OpenSSL (1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o) we encourage you to consider applying the latest version of OpenSSL if applicable to your environment and deployment.&nbsp; The availability details and release notes for OpenSSL v1.0.2d (for example) can be found here:&nbsp;<a href="https://mta.openssl.org/pipermail/openssl-announce/2015-July/000039.html...

<p>
The advance warning of a forthcoming release was made on 6 July 2015.&nbsp; That is archived here:<a href="https://mta.openssl.org/pipermail/openssl-announce/2015-July/000037.html...

<p>
It is recommended that users of OpenSSL, and similar toolkits, adopt a process to monitor for such notifications and build a patch management process suitable for their needs.</p>

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard