This morning The OpenSSL team released a security advisory stating that the latest versions of OpenSSL contain a severe vulnerability which can allow an attacker to bypass certain certificate validation checks, enabling them to issue an invalid certificate. The vulnerability was introduced as part of the June 11th OpenSSL patch and was discovered on June 24th by Adam Langley and David Benjamin of Google/BoringSSL.
This issue only affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. Users of these versions should upgrade immediately to OpenSSL versions 1.0.2d and 1.0.1p. The systems which are most likely affected are the various Linux distributions keeping their packages up-to-date with OpenSSL development, however both RedHat and Centos have already stated that they are not affected by this vulnerability.
To determine if your systems are affected by CVE-2015-1793, BeyondTrust has released the following vulnerability scan audits which are available in audits release 2932:
- 47601 - OpenSSL < 1.0.1p/1.0.2d Alternative Chains Certificate Forgery - Remote
- 47602 - OpenSSL < 1.0.1p/1.0.2d Alternative Chains Certificate Forgery – Credentialed
- Retina Network Security Scanner
- PowerBroker Identity Services
- PowerBroker for Unix & Linux
- PowerBroker for Databases
Scott Lang, Sr. Director, Product Marketing at BeyondTrust
Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.