A bug found in OpenSSL allows attackers to act as CA (Certificate Authority)
OpenSSL announced on Monday this week about the forthcoming release of versions 1.0.2d and 1.0.1p. Since yesterday 9th, July the release has been available as mentioned in the announcement. It concerns detected CVE-2015-1793 (Alternative chains certificate forgery) that is classified as vulnerability with high severity.Google researcher Adam Langley and BoringSSL’s David Benjamin reported the bug two weeks ago to the OpenSSL project.
The Kernel of CVE-2015-1793
According to OpenSSL Security Advisory the core of the issue is that OpenSSL can fail to validate accurately if a certificate is issued from a trustworthy CA (Certificate Authority). This in turn allows attackers to act as CA and distribute invalid certificates for implementing man-in-the-middle attacks. This bug makes the attackers capable of engendering applications to see untrusted and invalid SSL (Secure Sockets Layer) certificates as valid. Thus, the protection of the secrets passed between clients and servers accomplished by cryptographic procedures is disabled. Applications that verify certificates containing TLS/SSL/DTLS clients and TLS/SSL/DTLS servers using client authentication can be affected by the issue.
In fact OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o are affected by this vulnerability.
The OpenSSL Project Team also mentioned that version 1.0.0 or 0.9.8 releases are not affected by this bug.
-
Necessary upgrades
- Users using OpenSSL 1.0.2b/1.0.2c should upgrade to 1.0.2d.
- Users using OpenSSL 1.0.1n/1.0.1o should upgrade to 1.0.1p.
Unaffected Participants
Fortunately, Mozilla Firefox, Apple Safari and Internet Explorer are not affected as they don’t use OpenSSL for certificate validation. They apply their crypto libraries. As for Google Chrome, it uses BoringSSL that is Google made version of OpenSSL in co-operate with OpenSSL developers.
The OpenSSL packages distributed with Red Hat, Debian and Ubuntu part of Linux distributions are also not affected.
Open source solution provider Red Hat also made an announcement on this topic that even they had no OpenSSL updates since June 2015 they still entirely unaffected by this vulnerability.