Security Alert (A15-07-05): Vulnerability in OpenSSL


 

Published on: 10 July 2015

  
  
h4>Description:

By exploiting the vulnerability in the OpenSSL library, an attacker could bypass certain checks on certificates, such as the Certificate Authority (CA) flag check, enabling a certificate issued by a valid leaf certificate to be wrongly verified as issued by the valid CA.


Affected Systems:

  • OpenSSL versions 1.0.1n, 1.0.1o, 1.0.2b and 1.0.2c
  • Any systems such as operating systems, web servers, VPN gateways or appliances using affected OpenSSL libraries

Impact:

The attack could lead to wrongful verification of spoofed certificates at systems using OpenSSL.


Recommendation:

The vulnerability is fixed in OpenSSL 1.0.1p and 1.0.2d. Users with systems such as HTTPS protected websites or SSL-VPN gateways using OpenSSL to encrypt network traffic should check with their product vendors if the vulnerable OpenSSL versions are used and if so, upgrade to the fixed versions or follow the recommendations provided by the product vendors to mitigate the risk.


The OpenSSL Software Foundation announced that support for OpenSSL 0.9.8 and 1.0.0 will be ceased after 31 Dec 2015, no security updates for 0.9.8 and 1.0.0 will be provided after that. Users should consider upgrading to the latest versions of 1.0.1 or 1.0.2, or contact their product vendors for support.

More Information:

https://www.openssl.org/news/secadv_20150709.txt
https://www.hkcert.org/my_url/en/alert/15071001
https://www.us-cert.gov/ncas/current-activity/2015/07/09/OpenSSL-Releases-Security-Advisory
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793



Tag: OpenSSL
Tags