CVE-2015-1793: OpenSSL Alternative Chains Certificate Forgery

This morning The OpenSSL team released a security advisory stating that the latest versions of OpenSSL contain a severe vulnerability which can allow an attacker to bypass certain certificate validation checks, enabling them to issue an invalid certificate. The vulnerability was introduced as part of the June 11^th OpenSSL patch and was discovered on June 24^th by Adam Langley and David Benjamin of Google/BoringSSL. This issue only affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. Users of these versions should upgrade immediately to OpenSSL versions 1.0.2d and 1.0.1p. The systems which are most likely affected are the various Linux distributions keeping their packages up-to-date with OpenSSL development, however both RedHat and Centos have already stated that they are not affected by this vulnerability. To determine if your systems are affected by CVE-2015-1793, BeyondTrust has released the following vulnerability scan audits which are available in audits release 2932:

• 47601 - OpenSSL < 1.0.1p/1.0.2d Alternative Chains Certificate Forgery - Remote
• 47602 - OpenSSL < 1.0.1p/1.0.2d Alternative Chains Certificate Forgery – Credentialed

The following BeyondTrust products utilize OpenSSL, however, none of these are affected by this vulnerability:

• • Retina Network Security Scanner
  • PowerBroker Identity Services
  • PowerBroker for Unix & Linux
  • PowerBroker for Databases

As more and more Linux distributions update their packages, we’ll be sure to provide the corresponding audit check and will update this blog post.