Vulnerabilities > CVE-2015-1793 - 7PK - Security Features vulnerability in multiple products

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

oracle

openssl

CWE-254

nessus

exploit available

metasploit

NVD

Published: 2015-07-09

Updated: 2023-11-07

Summary

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle Supply Chain Products Suite 6.1.2.2 Oracle Supply Chain Products Suite 6.2.0 Oracle Supply Chain Products Suite 6.1.3.0 Oracle JD Edwards Enterpriseone Tools 9.2 Oracle JD Edwards Enterpriseone Tools 9.1	5
Application	Openssl Openssl Openssl 1.0.2B Openssl Openssl 1.0.2C Openssl Openssl 1.0.1N Openssl Openssl 1.0.1O	4
OS	Oracle Oracle Opus 10G Ethernet Switch Family 1.2.2.13 Oracle Opus 10G Ethernet Switch Family 1.2.2.15 Oracle Opus 10G Ethernet Switch Family 1.3.1.13 Oracle Opus 10G Ethernet Switch Family 2.0.0.6	4

Common Weakness Enumeration (CWE)

CWE-254 - 7PK - Security Features

Exploit-Db

description	OpenSSL Alternative Chains Certificate Forgery. CVE-2015-1793. Webapps exploits for multiple platform
file	exploits/multiple/webapps/38640.rb
id	EDB-ID:38640
last seen	2016-02-04
modified	2015-11-05
platform	multiple
port
published	2015-11-05
reporter	Ramon de C Valle
source	https://www.exploit-db.com/download/38640/
title	OpenSSL Alternative Chains Certificate Forgery
type	webapps

Metasploit

description	This module exploits a logic error in OpenSSL by impersonating the server and sending a specially-crafted chain of certificates, resulting in certain checks on untrusted certificates to be bypassed on the client, allowing it to use a valid leaf certificate as a CA certificate to sign a fake certificate. The SSL/TLS session is then proxied to the server allowing the session to continue normally and application data transmitted between the peers to be saved. The valid leaf certificate must not contain the keyUsage extension or it must have at least the keyCertSign bit set (see X509_check_issued function in crypto/x509v3/v3_purp.c); otherwise; X509_verify_cert fails with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. This module requires an active man-in-the-middle attack.
id	MSF:AUXILIARY/SERVER/OPENSSL_ALTCHAINSFORGERY_MITM_PROXY
last seen	2020-06-04
modified	2020-05-30
published	2015-07-16
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793 http://git.openssl.org/?p=openssl.git;a=commit;h=f404943bcab4898d18f3ac1b36479d1d7bbbb9e6
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
title	OpenSSL Alternative Chains Certificate Forgery MITM Proxy

Nessus

NASL family	Misc.
NASL id	SECURITYCENTER_OPENSSL_1_0_1P.NASL
description	The SecurityCenter application installed on the remote host is affected by a certificate validation bypass vulnerability in the bundled OpenSSL library. The library is version 1.0.1n or later and prior to 1.0.1p. It is, therefore, affected by a flaw in the X509_verify_cert() function that is triggered when locating alternate certificate chains in cases where the first attempt to build such a chain fails. A remote attacker can exploit this to cause certain certificate checks to be bypassed, resulting in an invalid certificate being considered valid.
last seen	2020-06-01
modified	2020-06-02
plugin id	85565
published	2015-08-20
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/85565
title	Tenable SecurityCenter Alternative Certificate Validation Bypass Vulnerability (TNS-2015-08)
code	#TRUSTED a0da3bc15c856d67cef034f2c73793a8155a0afa73d1f7a8b5e41e9b10b378fdb1ea230951f3ac46f756b885334055d370c31109db8f1b027eb633028e935c2c102dcaf931cbb281da935cd1ae876bfbbff657de96fafd80b40ce390e7d1dbf73b5fda7f61ec2f27c8799a9668cb32760479162dbbdc5fe2921232c7209c88b4026cb53affa8bc590ed860f66db29752da2109322695dd09379b1201c79b745bcb05412f11eca51a86482194e11cf128d230ca2b332ecfc2b7f727d4a246675727737f7666ae8718bf715cb5816280a222d0695e005afde0e9fc36311f016f1657174cd44b1f44626979f2858957816308bbb9aa66e1d54e2b38cec8333bfed5694b202b7bc8b9644b8d315b6601a38e23c82b0b9d78e73da835d2b2ce16118d4b548f48c4dfd158b74525e7882462ebedbe63911560f9d4d3045b2891399393a0ed965ffb61c5e7c359334738c7bac6840b12a1847d559d0be408617646b2ace021a0a3a40329e80def707752484af2306f9dcc5e84a4e025aca50ed50b413df1b27a0680446a0f187a9b20718b09420f9b4098d4e845bda060a6c0c188dfa3f4b5c819ac46418fe1f7ec2b5a447fe58ef48d151872a4339cea00c77ade5de63030221bc098846e336bb19354fbdc8f00ed9ea7e88af3430d8d09ca7371de018dd4837c480540e11d932102f5c9aff7667a1e5aff56e371ae9ba7f81299718b # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(85565); script_version("1.18"); script_cvs_date("Date: 2019/11/22"); script_cve_id("CVE-2015-1793"); script_bugtraq_id(75652); script_name(english:"Tenable SecurityCenter Alternative Certificate Validation Bypass Vulnerability (TNS-2015-08)"); script_summary(english:"Checks the version of OpenSSL in SecurityCenter."); script_set_attribute(attribute:"synopsis", value: "The remote application is affected by a certificate validation bypass vulnerability."); script_set_attribute(attribute:"description", value: "The SecurityCenter application installed on the remote host is affected by a certificate validation bypass vulnerability in the bundled OpenSSL library. The library is version 1.0.1n or later and prior to 1.0.1p. It is, therefore, affected by a flaw in the X509_verify_cert() function that is triggered when locating alternate certificate chains in cases where the first attempt to build such a chain fails. A remote attacker can exploit this to cause certain certificate checks to be bypassed, resulting in an invalid certificate being considered valid."); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/tns-2015-08"); script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/secadv/20150709.txt"); script_set_attribute(attribute:"solution", value: "Apply the relevant patch referenced in the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1793"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/09"); script_set_attribute(attribute:"patch_publication_date", value:"2015/07/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:tenable:securitycenter"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("securitycenter_installed.nbin", "securitycenter_detect.nbin"); script_require_ports("Host/SecurityCenter/Version", "installed_sw/SecurityCenter", "Host/local_checks_enabled"); exit(0); } include("openssl_version.inc"); include("misc_func.inc"); include("ssh_func.inc"); include("telnet_func.inc"); include("hostlevel_funcs.inc"); include("install_func.inc"); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); sc_ver = get_kb_item("Host/SecurityCenter/Version"); port = 0; if(empty_or_null(sc_ver)) { port = 443; install = get_single_install(app_name:"SecurityCenter", combined:TRUE, exit_if_unknown_ver:TRUE); sc_ver = install["version"]; } if (! preg(pattern:"^(4\.[6-8]\.\|5\.0\.[0-1])", string:sc_ver)) audit(AUDIT_INST_VER_NOT_VULN, "SecurityCenter", sc_ver); # Establish running of local commands if ( islocalhost() ) { if ( ! defined_func("pread") ) audit(AUDIT_NOT_DETECT, "pread"); info_t = INFO_LOCAL; } else { sock_g = ssh_open_connection(); if (! sock_g) audit(AUDIT_HOST_NOT, "able to connect via the provided SSH credentials."); info_t = INFO_SSH; } fixes = make_list("1.0.1p", "1.0.2d"); cutoffs = make_list("1.0.1n", "1.0.2b"); pattern = "OpenSSL (\d+(?:\.\d+)(-beta\d+\|[a-z]))"; # Check version line = info_send_cmd(cmd:"/opt/sc4/support/bin/openssl version"); if (!line) line = info_send_cmd(cmd:"/opt/sc/support/bin/openssl version"); if (info_t == INFO_SSH) ssh_close_connection(); if (!line) audit(AUDIT_UNKNOWN_APP_VER, "OpenSSL (within SecurityCenter)"); match = pregmatch(pattern:pattern, string:line); if (isnull(match)) audit(AUDIT_UNKNOWN_APP_VER, line); version = match[1]; fix = NULL; for ( i=0; i<2; i++) { if ( openssl_ver_cmp(ver:version, fix:fixes[i], same_branch:TRUE, is_min_check:FALSE) < 0 && openssl_ver_cmp(ver:version, fix:cutoffs[i], same_branch:TRUE, is_min_check:FALSE) >= 0 ) { fix = fixes[i]; break; } } if (!isnull(fix)) { report = '\n' + '\n SecurityCenter version : ' + sc_ver + '\n SecurityCenter OpenSSL version : ' + version + '\n Fixed OpenSSL version : ' + fix + '\n'; security_report_v4(port:port, severity:SECURITY_WARNING, extra:report); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "OpenSSL (within SecurityCenter)", version);

NASL family	Misc.
NASL id	ORACLE_ENTERPRISE_MANAGER_JAN_2016_CPU.NASL
description	The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple unspecified vulnerabilities in the following subcomponents of the Enterprise Manager Base Platform component : - Agent Next Gen - Discovery Framework - Loader Service - UI Framework Note that the product was formerly known as Enterprise Manager Grid Control.
last seen	2020-06-01
modified	2020-06-02
plugin id	88043
published	2016-01-21
reporter	This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/88043
title	Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (January 2016 CPU)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(88043); script_version("1.12"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id( "CVE-2015-1793", "CVE-2015-4885", "CVE-2016-0411", "CVE-2016-0415", "CVE-2016-0427", "CVE-2016-0442", "CVE-2016-0443", "CVE-2016-0444", "CVE-2016-0445", "CVE-2016-0446", "CVE-2016-0447", "CVE-2016-0449", "CVE-2016-0455" ); script_bugtraq_id( 75652, 81091, 81111, 81120, 81128, 81131, 81134, 81140, 81144, 81179, 81190, 81194, 81205 ); script_xref(name:"EDB-ID", value:"38640"); script_name(english:"Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (January 2016 CPU)"); script_summary(english:"Checks for the patch ID."); script_set_attribute(attribute:"synopsis", value: "The remote host has an enterprise management application installed that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple unspecified vulnerabilities in the following subcomponents of the Enterprise Manager Base Platform component : - Agent Next Gen - Discovery Framework - Loader Service - UI Framework Note that the product was formerly known as Enterprise Manager Grid Control."); # https://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixEM script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?91eb3a54"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the January 2016 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/19"); script_set_attribute(attribute:"patch_publication_date", value:"2016/01/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/21"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_dependencies("oracle_enterprise_manager_installed.nbin"); script_require_keys("installed_sw/Oracle Enterprise Manager Cloud Control"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("oracle_rdbms_cpu_func.inc"); include("install_func.inc"); product = "Oracle Enterprise Manager Cloud Control"; install = get_single_install(app_name:product, exit_if_unknown_ver:TRUE); version = install['version']; emchome = install['path']; patchid = FALSE; fix = NULL; if (version =~ "^12\.1\.0\.5(\.[0-9])?$") { patchid = "22115901"; fix = "12.1.0.5.160119"; } if (version =~ "^12\.1\.0\.4(\.[0-9])?$") { patchid = "22132672"; fix = "12.1.0.4.160119"; } if (version =~ "^11\.1\.0\.1(\.[0-9])?$") { patchid = "22266340"; fix = "11.1.0.1.160119"; } if (!patchid) audit(AUDIT_HOST_NOT, 'affected'); # compare version to check if we've already adjusted for patch level during detection if (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0) audit(AUDIT_INST_PATH_NOT_VULN, product, version, emchome); # Now look for the affected components patchesinstalled = find_patches_in_ohomes(ohomes:make_list(emchome)); if (isnull(patchesinstalled)) { missing = patchid; patched = FALSE; } else { patched = FALSE; foreach applied (keys(patchesinstalled[emchome])) { if (applied == patchid) { patched = TRUE; break; } else { foreach bugid (patchesinstalled[emchome][applied]['bugs']) { if (bugid == patchid) { patched = TRUE; break; } } } } if (!patched) { missing = patchid; } } if (empty_or_null(missing)) audit(AUDIT_HOST_NOT, 'affected'); if (report_verbosity > 0) { report += '\n Product : ' + product + '\n Version : ' + version + '\n Missing patch : ' + patchid + '\n'; security_warning(port:0, extra:report); } else security_warning(0);

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2015-11475.NASL
description	Security fix for CVE-2015-1793 high severity issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2015-07-14
plugin id	84691
published	2015-07-14
reporter	This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/84691
title	Fedora 22 : openssl-1.0.1k-11.fc22 (2015-11475)

NASL family	Databases
NASL id	MYSQL_5_6_26_RPM.NASL
description	The version of Oracle MySQL installed on the remote host is 5.6.x prior to 5.6.26. It is, therefore, affected by the following vulnerabilities : - A certificate validation bypass vulnerability exists in the Security:Encryption subcomponent due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. (CVE-2015-1793) - An unspecified flaw exists in the Client Programs subcomponent. A local attacker can exploit this to gain elevated privileges. (CVE-2015-4819) - An unspecified flaw exists in the DLM subcomponent. An authenticated, remote attacker can exploit this to impact integrity. (CVE-2015-4879) Additionally, unspecified denial of service vulnerabilities exist in the following MySQL subcomponents : - InnoDB (CVE-2015-4895) - libmysqld (CVE-2015-4904) - Partition (CVE-2015-4833) - Security:Firewall (CVE-2015-4766)
last seen	2020-06-04
modified	2015-10-29
plugin id	86660
published	2015-10-29
reporter	This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/86660
title	Oracle MySQL 5.6.x < 5.6.26 Multiple Vulnerabilities (October 2015 CPU)

NASL family	Web Servers
NASL id	OPENSSL_1_0_1P.NASL
description	According to its banner, the remote host is running a version of OpenSSL 1.0.1 prior to 1.0.1p. It is, therefore, affected by the following vulnerabilities : - A certificate validation bypass vulnerability exists due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. Note that this issue affects only versions 1.0.1n and 1.0.1o. (CVE-2015-1793) - A race condition exists in s3_clnt.c that is triggered when PSK identity hints are incorrectly updated in the parent SSL_CTX structure when they are received by a multi-threaded client. A remote attacker can exploit this, via a crafted ServerKeyExchange message, to cause a double-free memory error, resulting in a denial of service. (CVE-2015-3196)
last seen	2020-06-01
modified	2020-06-02
plugin id	84636
published	2015-07-09
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/84636
title	OpenSSL 1.0.1 < 1.0.1p Multiple Vulnerabilities

NASL family	CGI abuses
NASL id	CISCO-SA-CSCUV26213-PRSM.NASL
description	According to its self-reported version number, the version of Cisco Prime Security Manager installed on the remote host has a bundled version of OpenSSL that is affected by a certificate validation bypass vulnerability. The vulnerability exists due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication.
last seen	2020-06-01
modified	2020-06-02
plugin id	86105
published	2015-09-23
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/86105
title	Cisco Prime Security Manager OpenSSL Alternative Chains Certificate Forgery (cisco-sa-20150710-openssl)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2015-889.NASL
description	MySQL was updated to 5.6.27 to fix security issues and bugs. The following vulnerabilities were fixed as part of the upstream release [boo#951391]: CVE-2015-1793, CVE-2015-0286, CVE-2015-0288, CVE-2015-1789, CVE-2015-4730, CVE-2015-4766, CVE-2015-4792, CVE-2015-4800, CVE-2015-4802, CVE-2015-4815, CVE-2015-4816, CVE-2015-4819, CVE-2015-4826, CVE-2015-4830, CVE-2015-4833, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4862, CVE-2015-4864, CVE-2015-4866, CVE-2015-4870, CVE-2015-4879, CVE-2015-4890, CVE-2015-4895, CVE-2015-4904, CVE-2015-4905, CVE-2015-4910, CVE-2015-4913 Details on these and other changes can be found at: http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-27.html The following security relevant changes are included additionally : - CVE-2015-3152: MySQL lacked SSL enforcement. Using --ssl-verify-server-cert and --ssl[-*] implies that the ssl connection is required. The mysql client will now print an error if ssl is required, but the server can not handle a ssl connection [boo#924663], [boo#928962]
last seen	2020-06-05
modified	2015-12-17
plugin id	87442
published	2015-12-17
reporter	This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87442
title	openSUSE Security Update : mysql (openSUSE-2015-889) (BACKRONYM)

NASL family	Web Servers
NASL id	OPENSSL_1_0_2D.NASL
description	According to its banner, the remote host is running a version of OpenSSL 1.0.2 prior to 1.0.2d. It is, therefore, affected by the following vulnerabilities : - A certificate validation bypass vulnerability exists due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. (CVE-2015-1793) - A race condition exists in s3_clnt.c that is triggered when PSK identity hints are incorrectly updated in the parent SSL_CTX structure when they are received by a multi-threaded client. A remote attacker can exploit this, via a crafted ServerKeyExchange message, to cause a double-free memory error, resulting in a denial of service. (CVE-2015-3196)
last seen	2020-06-01
modified	2020-06-02
plugin id	84637
published	2015-07-09
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/84637
title	OpenSSL 1.0.2 < 1.0.2d Multiple Vulnerabilities

NASL family	CISCO
NASL id	CISCO-SA-CSCUV26213-ASA-CX.NASL
description	The remote ASA Next-Generation Firewall (NGFW) host is missing a security patch. It is, therefore, affected by a certificate validation bypass vulnerability in the bundled version of OpenSSL. The vulnerability exists due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication.
last seen	2020-06-01
modified	2020-06-02
plugin id	86104
published	2015-09-23
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/86104
title	Cisco ASA Next-Generation Firewall OpenSSL Alternative Chains Certificate Forgery (cisco-sa-20150710-openssl)

NASL family	CISCO
NASL id	CISCO-SA-20150710-OPENSSL-VSG.NASL
description	The remote Cisco Virtual Security Gateway device is affected by a certificate validation bypass vulnerability in the bundled OpenSSL library due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains in cases where the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication.
last seen	2020-06-01
modified	2020-06-02
plugin id	85685
published	2015-08-28
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/85685
title	Cisco Virtual Security Gateway OpenSSL Alternative Certificate Validation Bypass (cisco-sa-20150710-openssl)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201507-15.NASL
description	The remote host is affected by the vulnerability described in GLSA-201507-15 (OpenSSL: Alternate chains certificate forgery) During certificate verification, OpenSSL attempts to find an alternative certificate chain if the first attempt to build such a chain fails. Impact : A remote attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	86084
published	2015-09-23
reporter	This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/86084
title	GLSA-201507-15 : OpenSSL: Alternate chains certificate forgery

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2015-11414.NASL
description	Security fix for CVE-2015-1793 high severity issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2015-07-14
plugin id	84690
published	2015-07-14
reporter	This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/84690
title	Fedora 21 : openssl-1.0.1k-11.fc21 (2015-11414)

NASL family	Web Servers
NASL id	HPSMH_7_5_4.NASL
description	According to the web server
last seen	2020-06-01
modified	2020-06-02
plugin id	90150
published	2016-03-24
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90150
title	HP System Management Homepage < 7.5.4 Multiple Vulnerabilities (Logjam)

NASL family	Amazon Linux Local Security Checks
NASL id	ALA_ALAS-2015-564.NASL
description	During certificate verfification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and
last seen	2020-06-01
modified	2020-06-02
plugin id	84647
published	2015-07-13
reporter	This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/84647
title	Amazon Linux AMI : openssl (ALAS-2015-564)

NASL family	CGI abuses
NASL id	SPLUNK_625.NASL
description	According to its version number, the instance of Splunk hosted on the remote web server is Enterprise 5.0.x prior to 5.0.14, 6.0.x prior to 6.0.10, 6.1.x prior to 6.1.9, 6.2.x prior to 6.2.5, or Light 6.2.x prior to 6.2.5. It is, therefore, affected by the following vulnerabilities in the bundled OpenSSL library : - A denial of service vulnerability exists when processing an ECParameters structure due to an infinite loop that occurs when a specified curve is over a malformed binary polynomial field. A remote attacker can exploit this to perform a denial of service against any system that processes public keys, certificate requests, or certificates. This includes TLS clients and TLS servers with client authentication enabled. (CVE-2015-1788) - A denial of service vulnerability exists due to improper validation of the content and length of the ASN1_TIME string by the X509_cmp_time() function. A remote attacker can exploit this, via a malformed certificate and CRLs of various sizes, to cause a segmentation fault, resulting in a denial of service condition. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks. (CVE-2015-1789) - A NULL pointer dereference flaw exists in the PKCS#7 parsing code due to incorrect handling of missing inner
last seen	2020-06-01
modified	2020-06-02
plugin id	85581
published	2015-08-21
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/85581
title	Splunk Enterprise < 5.0.14 / 6.0.10 / 6.1.9 / 6.2.5 or Splunk Light < 6.2.5 Multiple Vulnerabilities

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2015-2303-1.NASL
description	The mysql package was updated to version 5.5.46 to fixs several security and non security issues. - bnc#951391: update to version 5.5.46 - changes: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 46.html - fixed CVEs: CVE-2015-1793, CVE-2015-0286, CVE-2015-0288, CVE-2015-1789, CVE-2015-4730, CVE-2015-4766, CVE-2015-4792, CVE-2015-4800, CVE-2015-4802, CVE-2015-4815, CVE-2015-4816, CVE-2015-4819, CVE-2015-4826, CVE-2015-4830, CVE-2015-4833, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4862, CVE-2015-4864, CVE-2015-4866, CVE-2015-4870, CVE-2015-4879, CVE-2015-4890, CVE-2015-4895, CVE-2015-4904, CVE-2015-4905, CVE-2015-4910, CVE-2015-4913 - bnc#952196: Fixed a build error for ppc, s390 and ia64 architectures. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	87525
published	2015-12-21
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87525
title	SUSE SLED11 / SLES11 Security Update : mysql (SUSE-SU-2015:2303-1)

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_075952FE267E11E59D033C970E169BC2.NASL
description	OpenSSL reports : During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and
last seen	2020-06-01
modified	2020-06-02
plugin id	84651
published	2015-07-13
reporter	This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/84651
title	FreeBSD : openssl -- alternate chains certificate forgery vulnerability (075952fe-267e-11e5-9d03-3c970e169bc2)

NASL family	Databases
NASL id	MYSQL_5_6_27.NASL
description	The version of MySQL running on the remote host is 5.6.x prior to 5.6.27. It is, therefore, potentially affected by the following vulnerabilities : - A certificate validation bypass vulnerability exists in the Security:Encryption subcomponent due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. (CVE-2015-1793) - An unspecified flaw exists in the Client Programs subcomponent. A local attacker can exploit this to gain elevated privileges. (CVE-2015-4819) - An unspecified flaw exists in the Types subcomponent. An authenticated, remote attacker can exploit this to gain access to sensitive information. (CVE-2015-4826) - An unspecified flaws exist in the Security:Privileges subcomponent. An authenticated, remote attacker can exploit these to impact integrity. (CVE-2015-4830, CVE-2015-4864) - An unspecified flaw exists in the DLM subcomponent. An authenticated, remote attacker can exploit this to impact integrity. (CVE-2015-4879) - An unspecified flaw exists in the Server Security Encryption subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2015-7744) Additionally, unspecified denial of service vulnerabilities can also exist in the following MySQL subcomponents : - DDL (CVE-2015-4815) - DML (CVE-2015-4858, CVE-2015-4862, CVE-2015-4905, CVE-2015-4913) - InnoDB (CVE-2015-4861, CVE-2015-4866, CVE-2015-4895) - libmysqld (CVE-2015-4904) - Memcached (CVE-2015-4910) - Optimizer (CVE-2015-4800) - Parser (CVE-2015-4870) - Partition (CVE-2015-4792, CVE-2015-4802, CVE-2015-4833) - Query (CVE-2015-4807) - Replication (CVE-2015-4890) - Security : Firewall (CVE-2015-4766) - Server : General (CVE-2016-0605) - Security : Privileges (CVE-2015-4791) - SP (CVE-2015-4836) - Types (CVE-2015-4730)
last seen	2020-06-01
modified	2020-06-02
plugin id	86547
published	2015-10-22
reporter	This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/86547
title	MySQL 5.6.x < 5.6.27 Multiple Vulnerabilities

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2015-190-01.NASL
description	New openssl packages are available for Slackware 14.0, 14.1, and -current to fix a security issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	84646
published	2015-07-13
reporter	This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/84646
title	Slackware 14.0 / 14.1 / current : openssl (SSA:2015-190-01)

Packetstorm

data source	https://packetstormsecurity.com/files/download/143369/orionbrowser79-mitm.txt
id	PACKETSTORM:143369
last seen	2017-07-15
published	2017-07-14
reporter	MaXe
source	https://packetstormsecurity.com/files/143369/Orion-Elite-Hidden-IP-Browser-Pro-7.9-OpenSSL-Tor-Man-In-The-Middle.html
title	Orion Elite Hidden IP Browser Pro 7.9 OpenSSL / Tor / Man-In-The-Middle

data source	https://packetstormsecurity.com/files/download/134250/rcvalle_accforgery.rb.txt
id	PACKETSTORM:134250
last seen	2016-12-05
published	2015-11-06
reporter	Ramon de C Valle
source	https://packetstormsecurity.com/files/134250/OpenSSL-Alternative-Chains-Certificate-Forgery.html
title	OpenSSL Alternative Chains Certificate Forgery

data source	https://packetstormsecurity.com/files/download/132843/openssl_altchainsforgery_mitm_proxy.rb.txt
id	PACKETSTORM:132843
last seen	2016-12-05
published	2015-07-27
reporter	Ramon de C Valle
source	https://packetstormsecurity.com/files/132843/OpenSSL-Alternative-Chains-Certificate-Forgery-MITM-Proxy.html
title	OpenSSL Alternative Chains Certificate Forgery MITM Proxy

The Hacker News

id	THN:222E7964C49D6C2FA7B49F28896E3933
last seen	2018-01-27
modified	2015-07-09
published	2015-07-09
reporter	Mohit Kumar
source	https://thehackernews.com/2015/07/openssl-vulnerability-ssl-certificate.html
title	Critical OpenSSL Flaw Allows Hackers to Impersonate Any Trusted SSL Certificate