OpenSSL Certificate Forgery Vulnerability

Number: AV15-061
Date: July 9, 2015

Purpose

The purpose of this advisory is to bring attention to a certificate forgery vulnerability in OpenSSL.

Assessment

This vulnerability can be used to allow attackers to bypass checks on untrusted certificates, allowing them to use a valid leaf certificate to act as a certificate authority and issue an invalid certificate.

This will impact any application that verifies certificates, including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.

It should be noted that many hardware and software products utilize OpenSSL with the integration not always clear and visible.

Affected Software versions:
- OpenSSL 1.0.1n, 1.0.1o, 1.0.2b and 1.0.2c.

CVE References: CVE-2015-1793

Suggested action

CCIRC recommends that system administrators test and deploy the vendor-released update to affected applications accordingly.

The newly released OpenSSL versions 1.0.1p and 1.0.2d include the security patch.

CCIRC recommends organizations consult with vendors for confirmation on whether their products are utilizing vulnerable versions of OpenSSL. As vendor-released updates become available, organizations should test and deploy updates to affected applications accordingly.

References

https://www.openssl.org/news/secadv_20150709.txt
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1793

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: