OpenSSL Alternative Chains Certificate Forgery Vulnerability (CVE-2015-1793)

This vulnerability affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n, and 1.0.1o. Users of versions 1.0.2b and 1.0.2c are advised to immediately upgrade to 1.0.2d. Users of versions 1.0.1n and 1.0.1o are advised to immediately upgrade to 1.0.1p.

Users of OpenSSL versions 1.0.0 and 0.9.8 are not affected by this issue. However from 31st December 2015 there will be no security releases for these versions.

OpenSSL is the open-source software used mainly on internet facing devices, including the majority of web servers (excluding Windows). It is generally not used by client machines such as Personal Computers and handheld devices.

The vulnerability could potentially allow allow an attacker to generate a valid leaf certificate which OpenSSL would recognise as a CA. The vulnerability comes in to play if an affected version of OpenSSL is used to authenticate a certificate chain. This can be during server to server communication or client certificate authentication.

Users with a website utilising OpenSSL should check the current version being used and apply updates as soon as possible.

Related Articles