Vulnerabilities > CVE-2015-1793 - 7PK - Security Features vulnerability in multiple products

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
LOW
Availability impact
NONE
network
low complexity
oracle
openssl
CWE-254
nessus
exploit available
metasploit

Summary

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionOpenSSL Alternative Chains Certificate Forgery. CVE-2015-1793. Webapps exploits for multiple platform
fileexploits/multiple/webapps/38640.rb
idEDB-ID:38640
last seen2016-02-04
modified2015-11-05
platformmultiple
port
published2015-11-05
reporterRamon de C Valle
sourcehttps://www.exploit-db.com/download/38640/
titleOpenSSL Alternative Chains Certificate Forgery
typewebapps

Metasploit

descriptionThis module exploits a logic error in OpenSSL by impersonating the server and sending a specially-crafted chain of certificates, resulting in certain checks on untrusted certificates to be bypassed on the client, allowing it to use a valid leaf certificate as a CA certificate to sign a fake certificate. The SSL/TLS session is then proxied to the server allowing the session to continue normally and application data transmitted between the peers to be saved. The valid leaf certificate must not contain the keyUsage extension or it must have at least the keyCertSign bit set (see X509_check_issued function in crypto/x509v3/v3_purp.c); otherwise; X509_verify_cert fails with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. This module requires an active man-in-the-middle attack.
idMSF:AUXILIARY/SERVER/OPENSSL_ALTCHAINSFORGERY_MITM_PROXY
last seen2020-06-04
modified2020-05-30
published2015-07-16
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
titleOpenSSL Alternative Chains Certificate Forgery MITM Proxy

Nessus

  • NASL familyMisc.
    NASL idSECURITYCENTER_OPENSSL_1_0_1P.NASL
    descriptionThe SecurityCenter application installed on the remote host is affected by a certificate validation bypass vulnerability in the bundled OpenSSL library. The library is version 1.0.1n or later and prior to 1.0.1p. It is, therefore, affected by a flaw in the X509_verify_cert() function that is triggered when locating alternate certificate chains in cases where the first attempt to build such a chain fails. A remote attacker can exploit this to cause certain certificate checks to be bypassed, resulting in an invalid certificate being considered valid.
    last seen2020-06-01
    modified2020-06-02
    plugin id85565
    published2015-08-20
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85565
    titleTenable SecurityCenter Alternative Certificate Validation Bypass Vulnerability (TNS-2015-08)
    code
    #TRUSTED a0da3bc15c856d67cef034f2c73793a8155a0afa73d1f7a8b5e41e9b10b378fdb1ea230951f3ac46f756b885334055d370c31109db8f1b027eb633028e935c2c102dcaf931cbb281da935cd1ae876bfbbff657de96fafd80b40ce390e7d1dbf73b5fda7f61ec2f27c8799a9668cb32760479162dbbdc5fe2921232c7209c88b4026cb53affa8bc590ed860f66db29752da2109322695dd09379b1201c79b745bcb05412f11eca51a86482194e11cf128d230ca2b332ecfc2b7f727d4a246675727737f7666ae8718bf715cb5816280a222d0695e005afde0e9fc36311f016f1657174cd44b1f44626979f2858957816308bbb9aa66e1d54e2b38cec8333bfed5694b202b7bc8b9644b8d315b6601a38e23c82b0b9d78e73da835d2b2ce16118d4b548f48c4dfd158b74525e7882462ebedbe63911560f9d4d3045b2891399393a0ed965ffb61c5e7c359334738c7bac6840b12a1847d559d0be408617646b2ace021a0a3a40329e80def707752484af2306f9dcc5e84a4e025aca50ed50b413df1b27a0680446a0f187a9b20718b09420f9b4098d4e845bda060a6c0c188dfa3f4b5c819ac46418fe1f7ec2b5a447fe58ef48d151872a4339cea00c77ade5de63030221bc098846e336bb19354fbdc8f00ed9ea7e88af3430d8d09ca7371de018dd4837c480540e11d932102f5c9aff7667a1e5aff56e371ae9ba7f81299718b
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(85565);
      script_version("1.18");
      script_cvs_date("Date: 2019/11/22");
    
      script_cve_id("CVE-2015-1793");
      script_bugtraq_id(75652);
    
      script_name(english:"Tenable SecurityCenter Alternative Certificate Validation Bypass Vulnerability (TNS-2015-08)");
      script_summary(english:"Checks the version of OpenSSL in SecurityCenter.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote application is affected by a certificate validation bypass
    vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The SecurityCenter application installed on the remote host is
    affected by a certificate validation bypass vulnerability in the
    bundled OpenSSL library. The library is version 1.0.1n or later and
    prior to 1.0.1p. It is, therefore, affected by a flaw in the
    X509_verify_cert() function that is triggered when locating alternate
    certificate chains in cases where the first attempt to build such a
    chain fails. A remote attacker can exploit this to cause certain
    certificate checks to be bypassed, resulting in an invalid certificate
    being considered valid.");
      script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/tns-2015-08");
      script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/secadv/20150709.txt");
      script_set_attribute(attribute:"solution", value:
    "Apply the relevant patch referenced in the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1793");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/07/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:tenable:securitycenter");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("securitycenter_installed.nbin", "securitycenter_detect.nbin");
      script_require_ports("Host/SecurityCenter/Version", "installed_sw/SecurityCenter", "Host/local_checks_enabled");
    
      exit(0);
    }
    
    include("openssl_version.inc");
    include("misc_func.inc");
    include("ssh_func.inc");
    include("telnet_func.inc");
    include("hostlevel_funcs.inc");
    include("install_func.inc");
    
    
    if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
      enable_ssh_wrappers();
    else disable_ssh_wrappers();
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    sc_ver = get_kb_item("Host/SecurityCenter/Version");
    port = 0;
    if(empty_or_null(sc_ver))
    {
      port = 443;
      install = get_single_install(app_name:"SecurityCenter", combined:TRUE, exit_if_unknown_ver:TRUE);
      sc_ver = install["version"];
    }
    if (! preg(pattern:"^(4\.[6-8]\.|5\.0\.[0-1])", string:sc_ver)) audit(AUDIT_INST_VER_NOT_VULN, "SecurityCenter", sc_ver);
    
    # Establish running of local commands
    if ( islocalhost() )
    {
      if ( ! defined_func("pread") ) audit(AUDIT_NOT_DETECT, "pread");
      info_t = INFO_LOCAL;
    }
    else
    {
      sock_g = ssh_open_connection();
      if (! sock_g) audit(AUDIT_HOST_NOT, "able to connect via the provided SSH credentials.");
      info_t = INFO_SSH;
    }
    
    fixes = make_list("1.0.1p", "1.0.2d");
    cutoffs = make_list("1.0.1n", "1.0.2b");
    pattern = "OpenSSL (\d+(?:\.\d+)*(-beta\d+|[a-z]*))";
    
    # Check version
    line = info_send_cmd(cmd:"/opt/sc4/support/bin/openssl version");
    if (!line) line = info_send_cmd(cmd:"/opt/sc/support/bin/openssl version");
    if (info_t == INFO_SSH) ssh_close_connection();
    
    if (!line) audit(AUDIT_UNKNOWN_APP_VER, "OpenSSL (within SecurityCenter)");
    match = pregmatch(pattern:pattern, string:line);
    if (isnull(match)) audit(AUDIT_UNKNOWN_APP_VER, line);
    version = match[1];
    
    fix = NULL;
    
    for ( i=0; i<2; i++)
    {
      if (
        openssl_ver_cmp(ver:version, fix:fixes[i], same_branch:TRUE, is_min_check:FALSE) < 0 &&
        openssl_ver_cmp(ver:version, fix:cutoffs[i], same_branch:TRUE, is_min_check:FALSE) >= 0
      )
      {
        fix = fixes[i];
        break;
      }
    }
    
    if (!isnull(fix))
    {
      report = '\n' +
        '\n  SecurityCenter version         : ' + sc_ver +
        '\n  SecurityCenter OpenSSL version : ' + version +
        '\n  Fixed OpenSSL version          : ' + fix +
        '\n';
      security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);
      exit(0);
    }
    else audit(AUDIT_INST_VER_NOT_VULN, "OpenSSL (within SecurityCenter)", version);
    
  • NASL familyMisc.
    NASL idORACLE_ENTERPRISE_MANAGER_JAN_2016_CPU.NASL
    descriptionThe version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple unspecified vulnerabilities in the following subcomponents of the Enterprise Manager Base Platform component : - Agent Next Gen - Discovery Framework - Loader Service - UI Framework Note that the product was formerly known as Enterprise Manager Grid Control.
    last seen2020-06-01
    modified2020-06-02
    plugin id88043
    published2016-01-21
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/88043
    titleOracle Enterprise Manager Cloud Control Multiple Vulnerabilities (January 2016 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(88043);
      script_version("1.12");
      script_cvs_date("Date: 2018/11/15 20:50:23");
    
      script_cve_id(
        "CVE-2015-1793",
        "CVE-2015-4885",
        "CVE-2016-0411",
        "CVE-2016-0415",
        "CVE-2016-0427",
        "CVE-2016-0442",
        "CVE-2016-0443",
        "CVE-2016-0444",
        "CVE-2016-0445",
        "CVE-2016-0446",
        "CVE-2016-0447",
        "CVE-2016-0449",
        "CVE-2016-0455"
      );
      script_bugtraq_id(
        75652,
        81091,
        81111,
        81120,
        81128,
        81131,
        81134,
        81140,
        81144,
        81179,
        81190,
        81194,
        81205
      );
      script_xref(name:"EDB-ID", value:"38640");
    
      script_name(english:"Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (January 2016 CPU)");
      script_summary(english:"Checks for the patch ID.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host has an enterprise management application installed
    that is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle Enterprise Manager Cloud Control installed on
    the remote host is affected by multiple unspecified vulnerabilities in
    the following subcomponents of the Enterprise Manager Base Platform
    component :
    
      - Agent Next Gen
      - Discovery Framework
      - Loader Service
      - UI Framework
    
    Note that the product was formerly known as Enterprise Manager Grid
    Control.");
      # https://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixEM
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?91eb3a54");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the January 2016 Oracle
    Critical Patch Update advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/01/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/21");
    
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");
    
      script_dependencies("oracle_enterprise_manager_installed.nbin");
      script_require_keys("installed_sw/Oracle Enterprise Manager Cloud Control");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("oracle_rdbms_cpu_func.inc");
    include("install_func.inc");
    
    product = "Oracle Enterprise Manager Cloud Control";
    install = get_single_install(app_name:product, exit_if_unknown_ver:TRUE);
    version = install['version'];
    emchome = install['path'];
    patchid = FALSE;
    fix = NULL;
    
    if (version =~ "^12\.1\.0\.5(\.[0-9])?$")
    {
      patchid = "22115901";
      fix = "12.1.0.5.160119";
    }
    if (version =~ "^12\.1\.0\.4(\.[0-9])?$")
    {
      patchid = "22132672";
      fix = "12.1.0.4.160119";
    }
    if (version =~ "^11\.1\.0\.1(\.[0-9])?$")
    {
      patchid = "22266340";
      fix = "11.1.0.1.160119";
    }
    
    if (!patchid)
      audit(AUDIT_HOST_NOT, 'affected');
    
    # compare version to check if we've already adjusted for patch level during detection
    if (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0)
      audit(AUDIT_INST_PATH_NOT_VULN, product, version, emchome);
    
    # Now look for the affected components
    patchesinstalled = find_patches_in_ohomes(ohomes:make_list(emchome));
    if (isnull(patchesinstalled))
    {
      missing = patchid;
      patched = FALSE;
    }
    else
    {
      patched = FALSE;
      foreach applied (keys(patchesinstalled[emchome]))
      {
        if (applied == patchid)
        {
          patched = TRUE;
          break;
        }
        else
        {
          foreach bugid (patchesinstalled[emchome][applied]['bugs'])
          {
            if (bugid == patchid)
            {
              patched = TRUE;
              break;
            }
          }
        }
      }
      if (!patched)
      {
        missing = patchid;
      }
    }
    
    if (empty_or_null(missing))
      audit(AUDIT_HOST_NOT, 'affected');
    
    if (report_verbosity > 0)
    {
      report +=
        '\n  Product       : ' + product +
        '\n  Version       : ' + version +
        '\n  Missing patch : ' + patchid +
        '\n';
      security_warning(port:0, extra:report);
    }
    else security_warning(0);
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-11475.NASL
    descriptionSecurity fix for CVE-2015-1793 high severity issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-07-14
    plugin id84691
    published2015-07-14
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84691
    titleFedora 22 : openssl-1.0.1k-11.fc22 (2015-11475)
  • NASL familyDatabases
    NASL idMYSQL_5_6_26_RPM.NASL
    descriptionThe version of Oracle MySQL installed on the remote host is 5.6.x prior to 5.6.26. It is, therefore, affected by the following vulnerabilities : - A certificate validation bypass vulnerability exists in the Security:Encryption subcomponent due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. (CVE-2015-1793) - An unspecified flaw exists in the Client Programs subcomponent. A local attacker can exploit this to gain elevated privileges. (CVE-2015-4819) - An unspecified flaw exists in the DLM subcomponent. An authenticated, remote attacker can exploit this to impact integrity. (CVE-2015-4879) Additionally, unspecified denial of service vulnerabilities exist in the following MySQL subcomponents : - InnoDB (CVE-2015-4895) - libmysqld (CVE-2015-4904) - Partition (CVE-2015-4833) - Security:Firewall (CVE-2015-4766)
    last seen2020-06-04
    modified2015-10-29
    plugin id86660
    published2015-10-29
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/86660
    titleOracle MySQL 5.6.x < 5.6.26 Multiple Vulnerabilities (October 2015 CPU)
  • NASL familyWeb Servers
    NASL idOPENSSL_1_0_1P.NASL
    descriptionAccording to its banner, the remote host is running a version of OpenSSL 1.0.1 prior to 1.0.1p. It is, therefore, affected by the following vulnerabilities : - A certificate validation bypass vulnerability exists due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. Note that this issue affects only versions 1.0.1n and 1.0.1o. (CVE-2015-1793) - A race condition exists in s3_clnt.c that is triggered when PSK identity hints are incorrectly updated in the parent SSL_CTX structure when they are received by a multi-threaded client. A remote attacker can exploit this, via a crafted ServerKeyExchange message, to cause a double-free memory error, resulting in a denial of service. (CVE-2015-3196)
    last seen2020-06-01
    modified2020-06-02
    plugin id84636
    published2015-07-09
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84636
    titleOpenSSL 1.0.1 < 1.0.1p Multiple Vulnerabilities
  • NASL familyCGI abuses
    NASL idCISCO-SA-CSCUV26213-PRSM.NASL
    descriptionAccording to its self-reported version number, the version of Cisco Prime Security Manager installed on the remote host has a bundled version of OpenSSL that is affected by a certificate validation bypass vulnerability. The vulnerability exists due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication.
    last seen2020-06-01
    modified2020-06-02
    plugin id86105
    published2015-09-23
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86105
    titleCisco Prime Security Manager OpenSSL Alternative Chains Certificate Forgery (cisco-sa-20150710-openssl)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-889.NASL
    descriptionMySQL was updated to 5.6.27 to fix security issues and bugs. The following vulnerabilities were fixed as part of the upstream release [boo#951391]: CVE-2015-1793, CVE-2015-0286, CVE-2015-0288, CVE-2015-1789, CVE-2015-4730, CVE-2015-4766, CVE-2015-4792, CVE-2015-4800, CVE-2015-4802, CVE-2015-4815, CVE-2015-4816, CVE-2015-4819, CVE-2015-4826, CVE-2015-4830, CVE-2015-4833, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4862, CVE-2015-4864, CVE-2015-4866, CVE-2015-4870, CVE-2015-4879, CVE-2015-4890, CVE-2015-4895, CVE-2015-4904, CVE-2015-4905, CVE-2015-4910, CVE-2015-4913 Details on these and other changes can be found at: http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-27.html The following security relevant changes are included additionally : - CVE-2015-3152: MySQL lacked SSL enforcement. Using --ssl-verify-server-cert and --ssl[-*] implies that the ssl connection is required. The mysql client will now print an error if ssl is required, but the server can not handle a ssl connection [boo#924663], [boo#928962]
    last seen2020-06-05
    modified2015-12-17
    plugin id87442
    published2015-12-17
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87442
    titleopenSUSE Security Update : mysql (openSUSE-2015-889) (BACKRONYM)
  • NASL familyWeb Servers
    NASL idOPENSSL_1_0_2D.NASL
    descriptionAccording to its banner, the remote host is running a version of OpenSSL 1.0.2 prior to 1.0.2d. It is, therefore, affected by the following vulnerabilities : - A certificate validation bypass vulnerability exists due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. (CVE-2015-1793) - A race condition exists in s3_clnt.c that is triggered when PSK identity hints are incorrectly updated in the parent SSL_CTX structure when they are received by a multi-threaded client. A remote attacker can exploit this, via a crafted ServerKeyExchange message, to cause a double-free memory error, resulting in a denial of service. (CVE-2015-3196)
    last seen2020-06-01
    modified2020-06-02
    plugin id84637
    published2015-07-09
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84637
    titleOpenSSL 1.0.2 < 1.0.2d Multiple Vulnerabilities
  • NASL familyCISCO
    NASL idCISCO-SA-CSCUV26213-ASA-CX.NASL
    descriptionThe remote ASA Next-Generation Firewall (NGFW) host is missing a security patch. It is, therefore, affected by a certificate validation bypass vulnerability in the bundled version of OpenSSL. The vulnerability exists due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication.
    last seen2020-06-01
    modified2020-06-02
    plugin id86104
    published2015-09-23
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86104
    titleCisco ASA Next-Generation Firewall OpenSSL Alternative Chains Certificate Forgery (cisco-sa-20150710-openssl)
  • NASL familyCISCO
    NASL idCISCO-SA-20150710-OPENSSL-VSG.NASL
    descriptionThe remote Cisco Virtual Security Gateway device is affected by a certificate validation bypass vulnerability in the bundled OpenSSL library due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains in cases where the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication.
    last seen2020-06-01
    modified2020-06-02
    plugin id85685
    published2015-08-28
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85685
    titleCisco Virtual Security Gateway OpenSSL Alternative Certificate Validation Bypass (cisco-sa-20150710-openssl)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201507-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201507-15 (OpenSSL: Alternate chains certificate forgery) During certificate verification, OpenSSL attempts to find an alternative certificate chain if the first attempt to build such a chain fails. Impact : A remote attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and &ldquo;issue&rdquo; an invalid certificate. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id86084
    published2015-09-23
    reporterThis script is Copyright (C) 2015-2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/86084
    titleGLSA-201507-15 : OpenSSL: Alternate chains certificate forgery
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-11414.NASL
    descriptionSecurity fix for CVE-2015-1793 high severity issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-07-14
    plugin id84690
    published2015-07-14
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84690
    titleFedora 21 : openssl-1.0.1k-11.fc21 (2015-11414)
  • NASL familyWeb Servers
    NASL idHPSMH_7_5_4.NASL
    descriptionAccording to the web server
    last seen2020-06-01
    modified2020-06-02
    plugin id90150
    published2016-03-24
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90150
    titleHP System Management Homepage < 7.5.4 Multiple Vulnerabilities (Logjam)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-564.NASL
    descriptionDuring certificate verfification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and
    last seen2020-06-01
    modified2020-06-02
    plugin id84647
    published2015-07-13
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84647
    titleAmazon Linux AMI : openssl (ALAS-2015-564)
  • NASL familyCGI abuses
    NASL idSPLUNK_625.NASL
    descriptionAccording to its version number, the instance of Splunk hosted on the remote web server is Enterprise 5.0.x prior to 5.0.14, 6.0.x prior to 6.0.10, 6.1.x prior to 6.1.9, 6.2.x prior to 6.2.5, or Light 6.2.x prior to 6.2.5. It is, therefore, affected by the following vulnerabilities in the bundled OpenSSL library : - A denial of service vulnerability exists when processing an ECParameters structure due to an infinite loop that occurs when a specified curve is over a malformed binary polynomial field. A remote attacker can exploit this to perform a denial of service against any system that processes public keys, certificate requests, or certificates. This includes TLS clients and TLS servers with client authentication enabled. (CVE-2015-1788) - A denial of service vulnerability exists due to improper validation of the content and length of the ASN1_TIME string by the X509_cmp_time() function. A remote attacker can exploit this, via a malformed certificate and CRLs of various sizes, to cause a segmentation fault, resulting in a denial of service condition. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks. (CVE-2015-1789) - A NULL pointer dereference flaw exists in the PKCS#7 parsing code due to incorrect handling of missing inner
    last seen2020-06-01
    modified2020-06-02
    plugin id85581
    published2015-08-21
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85581
    titleSplunk Enterprise < 5.0.14 / 6.0.10 / 6.1.9 / 6.2.5 or Splunk Light < 6.2.5 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-2303-1.NASL
    descriptionThe mysql package was updated to version 5.5.46 to fixs several security and non security issues. - bnc#951391: update to version 5.5.46 - changes: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 46.html - fixed CVEs: CVE-2015-1793, CVE-2015-0286, CVE-2015-0288, CVE-2015-1789, CVE-2015-4730, CVE-2015-4766, CVE-2015-4792, CVE-2015-4800, CVE-2015-4802, CVE-2015-4815, CVE-2015-4816, CVE-2015-4819, CVE-2015-4826, CVE-2015-4830, CVE-2015-4833, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4862, CVE-2015-4864, CVE-2015-4866, CVE-2015-4870, CVE-2015-4879, CVE-2015-4890, CVE-2015-4895, CVE-2015-4904, CVE-2015-4905, CVE-2015-4910, CVE-2015-4913 - bnc#952196: Fixed a build error for ppc*, s390* and ia64 architectures. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id87525
    published2015-12-21
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87525
    titleSUSE SLED11 / SLES11 Security Update : mysql (SUSE-SU-2015:2303-1)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_075952FE267E11E59D033C970E169BC2.NASL
    descriptionOpenSSL reports : During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and
    last seen2020-06-01
    modified2020-06-02
    plugin id84651
    published2015-07-13
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84651
    titleFreeBSD : openssl -- alternate chains certificate forgery vulnerability (075952fe-267e-11e5-9d03-3c970e169bc2)
  • NASL familyDatabases
    NASL idMYSQL_5_6_27.NASL
    descriptionThe version of MySQL running on the remote host is 5.6.x prior to 5.6.27. It is, therefore, potentially affected by the following vulnerabilities : - A certificate validation bypass vulnerability exists in the Security:Encryption subcomponent due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. (CVE-2015-1793) - An unspecified flaw exists in the Client Programs subcomponent. A local attacker can exploit this to gain elevated privileges. (CVE-2015-4819) - An unspecified flaw exists in the Types subcomponent. An authenticated, remote attacker can exploit this to gain access to sensitive information. (CVE-2015-4826) - An unspecified flaws exist in the Security:Privileges subcomponent. An authenticated, remote attacker can exploit these to impact integrity. (CVE-2015-4830, CVE-2015-4864) - An unspecified flaw exists in the DLM subcomponent. An authenticated, remote attacker can exploit this to impact integrity. (CVE-2015-4879) - An unspecified flaw exists in the Server Security Encryption subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2015-7744) Additionally, unspecified denial of service vulnerabilities can also exist in the following MySQL subcomponents : - DDL (CVE-2015-4815) - DML (CVE-2015-4858, CVE-2015-4862, CVE-2015-4905, CVE-2015-4913) - InnoDB (CVE-2015-4861, CVE-2015-4866, CVE-2015-4895) - libmysqld (CVE-2015-4904) - Memcached (CVE-2015-4910) - Optimizer (CVE-2015-4800) - Parser (CVE-2015-4870) - Partition (CVE-2015-4792, CVE-2015-4802, CVE-2015-4833) - Query (CVE-2015-4807) - Replication (CVE-2015-4890) - Security : Firewall (CVE-2015-4766) - Server : General (CVE-2016-0605) - Security : Privileges (CVE-2015-4791) - SP (CVE-2015-4836) - Types (CVE-2015-4730)
    last seen2020-06-01
    modified2020-06-02
    plugin id86547
    published2015-10-22
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86547
    titleMySQL 5.6.x < 5.6.27 Multiple Vulnerabilities
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2015-190-01.NASL
    descriptionNew openssl packages are available for Slackware 14.0, 14.1, and -current to fix a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id84646
    published2015-07-13
    reporterThis script is Copyright (C) 2015-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84646
    titleSlackware 14.0 / 14.1 / current : openssl (SSA:2015-190-01)

Packetstorm

The Hacker News

idTHN:222E7964C49D6C2FA7B49F28896E3933
last seen2018-01-27
modified2015-07-09
published2015-07-09
reporterMohit Kumar
sourcehttps://thehackernews.com/2015/07/openssl-vulnerability-ssl-certificate.html
titleCritical OpenSSL Flaw Allows Hackers to Impersonate Any Trusted SSL Certificate

References