Vulnerabilities > CVE-2015-1793 - 7PK - Security Features vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 5 | |
Application | 4 | |
OS | 4 |
Common Weakness Enumeration (CWE)
Exploit-Db
description | OpenSSL Alternative Chains Certificate Forgery. CVE-2015-1793. Webapps exploits for multiple platform |
file | exploits/multiple/webapps/38640.rb |
id | EDB-ID:38640 |
last seen | 2016-02-04 |
modified | 2015-11-05 |
platform | multiple |
port | |
published | 2015-11-05 |
reporter | Ramon de C Valle |
source | https://www.exploit-db.com/download/38640/ |
title | OpenSSL Alternative Chains Certificate Forgery |
type | webapps |
Metasploit
description | This module exploits a logic error in OpenSSL by impersonating the server and sending a specially-crafted chain of certificates, resulting in certain checks on untrusted certificates to be bypassed on the client, allowing it to use a valid leaf certificate as a CA certificate to sign a fake certificate. The SSL/TLS session is then proxied to the server allowing the session to continue normally and application data transmitted between the peers to be saved. The valid leaf certificate must not contain the keyUsage extension or it must have at least the keyCertSign bit set (see X509_check_issued function in crypto/x509v3/v3_purp.c); otherwise; X509_verify_cert fails with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. This module requires an active man-in-the-middle attack. |
id | MSF:AUXILIARY/SERVER/OPENSSL_ALTCHAINSFORGERY_MITM_PROXY |
last seen | 2020-06-04 |
modified | 2020-05-30 |
published | 2015-07-16 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb |
title | OpenSSL Alternative Chains Certificate Forgery MITM Proxy |
Nessus
NASL family Misc. NASL id SECURITYCENTER_OPENSSL_1_0_1P.NASL description The SecurityCenter application installed on the remote host is affected by a certificate validation bypass vulnerability in the bundled OpenSSL library. The library is version 1.0.1n or later and prior to 1.0.1p. It is, therefore, affected by a flaw in the X509_verify_cert() function that is triggered when locating alternate certificate chains in cases where the first attempt to build such a chain fails. A remote attacker can exploit this to cause certain certificate checks to be bypassed, resulting in an invalid certificate being considered valid. last seen 2020-06-01 modified 2020-06-02 plugin id 85565 published 2015-08-20 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85565 title Tenable SecurityCenter Alternative Certificate Validation Bypass Vulnerability (TNS-2015-08) code #TRUSTED a0da3bc15c856d67cef034f2c73793a8155a0afa73d1f7a8b5e41e9b10b378fdb1ea230951f3ac46f756b885334055d370c31109db8f1b027eb633028e935c2c102dcaf931cbb281da935cd1ae876bfbbff657de96fafd80b40ce390e7d1dbf73b5fda7f61ec2f27c8799a9668cb32760479162dbbdc5fe2921232c7209c88b4026cb53affa8bc590ed860f66db29752da2109322695dd09379b1201c79b745bcb05412f11eca51a86482194e11cf128d230ca2b332ecfc2b7f727d4a246675727737f7666ae8718bf715cb5816280a222d0695e005afde0e9fc36311f016f1657174cd44b1f44626979f2858957816308bbb9aa66e1d54e2b38cec8333bfed5694b202b7bc8b9644b8d315b6601a38e23c82b0b9d78e73da835d2b2ce16118d4b548f48c4dfd158b74525e7882462ebedbe63911560f9d4d3045b2891399393a0ed965ffb61c5e7c359334738c7bac6840b12a1847d559d0be408617646b2ace021a0a3a40329e80def707752484af2306f9dcc5e84a4e025aca50ed50b413df1b27a0680446a0f187a9b20718b09420f9b4098d4e845bda060a6c0c188dfa3f4b5c819ac46418fe1f7ec2b5a447fe58ef48d151872a4339cea00c77ade5de63030221bc098846e336bb19354fbdc8f00ed9ea7e88af3430d8d09ca7371de018dd4837c480540e11d932102f5c9aff7667a1e5aff56e371ae9ba7f81299718b # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(85565); script_version("1.18"); script_cvs_date("Date: 2019/11/22"); script_cve_id("CVE-2015-1793"); script_bugtraq_id(75652); script_name(english:"Tenable SecurityCenter Alternative Certificate Validation Bypass Vulnerability (TNS-2015-08)"); script_summary(english:"Checks the version of OpenSSL in SecurityCenter."); script_set_attribute(attribute:"synopsis", value: "The remote application is affected by a certificate validation bypass vulnerability."); script_set_attribute(attribute:"description", value: "The SecurityCenter application installed on the remote host is affected by a certificate validation bypass vulnerability in the bundled OpenSSL library. The library is version 1.0.1n or later and prior to 1.0.1p. It is, therefore, affected by a flaw in the X509_verify_cert() function that is triggered when locating alternate certificate chains in cases where the first attempt to build such a chain fails. A remote attacker can exploit this to cause certain certificate checks to be bypassed, resulting in an invalid certificate being considered valid."); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/tns-2015-08"); script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/secadv/20150709.txt"); script_set_attribute(attribute:"solution", value: "Apply the relevant patch referenced in the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1793"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/09"); script_set_attribute(attribute:"patch_publication_date", value:"2015/07/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:tenable:securitycenter"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("securitycenter_installed.nbin", "securitycenter_detect.nbin"); script_require_ports("Host/SecurityCenter/Version", "installed_sw/SecurityCenter", "Host/local_checks_enabled"); exit(0); } include("openssl_version.inc"); include("misc_func.inc"); include("ssh_func.inc"); include("telnet_func.inc"); include("hostlevel_funcs.inc"); include("install_func.inc"); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); sc_ver = get_kb_item("Host/SecurityCenter/Version"); port = 0; if(empty_or_null(sc_ver)) { port = 443; install = get_single_install(app_name:"SecurityCenter", combined:TRUE, exit_if_unknown_ver:TRUE); sc_ver = install["version"]; } if (! preg(pattern:"^(4\.[6-8]\.|5\.0\.[0-1])", string:sc_ver)) audit(AUDIT_INST_VER_NOT_VULN, "SecurityCenter", sc_ver); # Establish running of local commands if ( islocalhost() ) { if ( ! defined_func("pread") ) audit(AUDIT_NOT_DETECT, "pread"); info_t = INFO_LOCAL; } else { sock_g = ssh_open_connection(); if (! sock_g) audit(AUDIT_HOST_NOT, "able to connect via the provided SSH credentials."); info_t = INFO_SSH; } fixes = make_list("1.0.1p", "1.0.2d"); cutoffs = make_list("1.0.1n", "1.0.2b"); pattern = "OpenSSL (\d+(?:\.\d+)*(-beta\d+|[a-z]*))"; # Check version line = info_send_cmd(cmd:"/opt/sc4/support/bin/openssl version"); if (!line) line = info_send_cmd(cmd:"/opt/sc/support/bin/openssl version"); if (info_t == INFO_SSH) ssh_close_connection(); if (!line) audit(AUDIT_UNKNOWN_APP_VER, "OpenSSL (within SecurityCenter)"); match = pregmatch(pattern:pattern, string:line); if (isnull(match)) audit(AUDIT_UNKNOWN_APP_VER, line); version = match[1]; fix = NULL; for ( i=0; i<2; i++) { if ( openssl_ver_cmp(ver:version, fix:fixes[i], same_branch:TRUE, is_min_check:FALSE) < 0 && openssl_ver_cmp(ver:version, fix:cutoffs[i], same_branch:TRUE, is_min_check:FALSE) >= 0 ) { fix = fixes[i]; break; } } if (!isnull(fix)) { report = '\n' + '\n SecurityCenter version : ' + sc_ver + '\n SecurityCenter OpenSSL version : ' + version + '\n Fixed OpenSSL version : ' + fix + '\n'; security_report_v4(port:port, severity:SECURITY_WARNING, extra:report); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "OpenSSL (within SecurityCenter)", version);
NASL family Misc. NASL id ORACLE_ENTERPRISE_MANAGER_JAN_2016_CPU.NASL description The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple unspecified vulnerabilities in the following subcomponents of the Enterprise Manager Base Platform component : - Agent Next Gen - Discovery Framework - Loader Service - UI Framework Note that the product was formerly known as Enterprise Manager Grid Control. last seen 2020-06-01 modified 2020-06-02 plugin id 88043 published 2016-01-21 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/88043 title Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (January 2016 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(88043); script_version("1.12"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id( "CVE-2015-1793", "CVE-2015-4885", "CVE-2016-0411", "CVE-2016-0415", "CVE-2016-0427", "CVE-2016-0442", "CVE-2016-0443", "CVE-2016-0444", "CVE-2016-0445", "CVE-2016-0446", "CVE-2016-0447", "CVE-2016-0449", "CVE-2016-0455" ); script_bugtraq_id( 75652, 81091, 81111, 81120, 81128, 81131, 81134, 81140, 81144, 81179, 81190, 81194, 81205 ); script_xref(name:"EDB-ID", value:"38640"); script_name(english:"Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (January 2016 CPU)"); script_summary(english:"Checks for the patch ID."); script_set_attribute(attribute:"synopsis", value: "The remote host has an enterprise management application installed that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple unspecified vulnerabilities in the following subcomponents of the Enterprise Manager Base Platform component : - Agent Next Gen - Discovery Framework - Loader Service - UI Framework Note that the product was formerly known as Enterprise Manager Grid Control."); # https://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixEM script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?91eb3a54"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the January 2016 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/19"); script_set_attribute(attribute:"patch_publication_date", value:"2016/01/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/21"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_dependencies("oracle_enterprise_manager_installed.nbin"); script_require_keys("installed_sw/Oracle Enterprise Manager Cloud Control"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("oracle_rdbms_cpu_func.inc"); include("install_func.inc"); product = "Oracle Enterprise Manager Cloud Control"; install = get_single_install(app_name:product, exit_if_unknown_ver:TRUE); version = install['version']; emchome = install['path']; patchid = FALSE; fix = NULL; if (version =~ "^12\.1\.0\.5(\.[0-9])?$") { patchid = "22115901"; fix = "12.1.0.5.160119"; } if (version =~ "^12\.1\.0\.4(\.[0-9])?$") { patchid = "22132672"; fix = "12.1.0.4.160119"; } if (version =~ "^11\.1\.0\.1(\.[0-9])?$") { patchid = "22266340"; fix = "11.1.0.1.160119"; } if (!patchid) audit(AUDIT_HOST_NOT, 'affected'); # compare version to check if we've already adjusted for patch level during detection if (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0) audit(AUDIT_INST_PATH_NOT_VULN, product, version, emchome); # Now look for the affected components patchesinstalled = find_patches_in_ohomes(ohomes:make_list(emchome)); if (isnull(patchesinstalled)) { missing = patchid; patched = FALSE; } else { patched = FALSE; foreach applied (keys(patchesinstalled[emchome])) { if (applied == patchid) { patched = TRUE; break; } else { foreach bugid (patchesinstalled[emchome][applied]['bugs']) { if (bugid == patchid) { patched = TRUE; break; } } } } if (!patched) { missing = patchid; } } if (empty_or_null(missing)) audit(AUDIT_HOST_NOT, 'affected'); if (report_verbosity > 0) { report += '\n Product : ' + product + '\n Version : ' + version + '\n Missing patch : ' + patchid + '\n'; security_warning(port:0, extra:report); } else security_warning(0);
NASL family Fedora Local Security Checks NASL id FEDORA_2015-11475.NASL description Security fix for CVE-2015-1793 high severity issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-07-14 plugin id 84691 published 2015-07-14 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84691 title Fedora 22 : openssl-1.0.1k-11.fc22 (2015-11475) NASL family Databases NASL id MYSQL_5_6_26_RPM.NASL description The version of Oracle MySQL installed on the remote host is 5.6.x prior to 5.6.26. It is, therefore, affected by the following vulnerabilities : - A certificate validation bypass vulnerability exists in the Security:Encryption subcomponent due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. (CVE-2015-1793) - An unspecified flaw exists in the Client Programs subcomponent. A local attacker can exploit this to gain elevated privileges. (CVE-2015-4819) - An unspecified flaw exists in the DLM subcomponent. An authenticated, remote attacker can exploit this to impact integrity. (CVE-2015-4879) Additionally, unspecified denial of service vulnerabilities exist in the following MySQL subcomponents : - InnoDB (CVE-2015-4895) - libmysqld (CVE-2015-4904) - Partition (CVE-2015-4833) - Security:Firewall (CVE-2015-4766) last seen 2020-06-04 modified 2015-10-29 plugin id 86660 published 2015-10-29 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86660 title Oracle MySQL 5.6.x < 5.6.26 Multiple Vulnerabilities (October 2015 CPU) NASL family Web Servers NASL id OPENSSL_1_0_1P.NASL description According to its banner, the remote host is running a version of OpenSSL 1.0.1 prior to 1.0.1p. It is, therefore, affected by the following vulnerabilities : - A certificate validation bypass vulnerability exists due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. Note that this issue affects only versions 1.0.1n and 1.0.1o. (CVE-2015-1793) - A race condition exists in s3_clnt.c that is triggered when PSK identity hints are incorrectly updated in the parent SSL_CTX structure when they are received by a multi-threaded client. A remote attacker can exploit this, via a crafted ServerKeyExchange message, to cause a double-free memory error, resulting in a denial of service. (CVE-2015-3196) last seen 2020-06-01 modified 2020-06-02 plugin id 84636 published 2015-07-09 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84636 title OpenSSL 1.0.1 < 1.0.1p Multiple Vulnerabilities NASL family CGI abuses NASL id CISCO-SA-CSCUV26213-PRSM.NASL description According to its self-reported version number, the version of Cisco Prime Security Manager installed on the remote host has a bundled version of OpenSSL that is affected by a certificate validation bypass vulnerability. The vulnerability exists due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. last seen 2020-06-01 modified 2020-06-02 plugin id 86105 published 2015-09-23 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86105 title Cisco Prime Security Manager OpenSSL Alternative Chains Certificate Forgery (cisco-sa-20150710-openssl) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-889.NASL description MySQL was updated to 5.6.27 to fix security issues and bugs. The following vulnerabilities were fixed as part of the upstream release [boo#951391]: CVE-2015-1793, CVE-2015-0286, CVE-2015-0288, CVE-2015-1789, CVE-2015-4730, CVE-2015-4766, CVE-2015-4792, CVE-2015-4800, CVE-2015-4802, CVE-2015-4815, CVE-2015-4816, CVE-2015-4819, CVE-2015-4826, CVE-2015-4830, CVE-2015-4833, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4862, CVE-2015-4864, CVE-2015-4866, CVE-2015-4870, CVE-2015-4879, CVE-2015-4890, CVE-2015-4895, CVE-2015-4904, CVE-2015-4905, CVE-2015-4910, CVE-2015-4913 Details on these and other changes can be found at: http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-27.html The following security relevant changes are included additionally : - CVE-2015-3152: MySQL lacked SSL enforcement. Using --ssl-verify-server-cert and --ssl[-*] implies that the ssl connection is required. The mysql client will now print an error if ssl is required, but the server can not handle a ssl connection [boo#924663], [boo#928962] last seen 2020-06-05 modified 2015-12-17 plugin id 87442 published 2015-12-17 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87442 title openSUSE Security Update : mysql (openSUSE-2015-889) (BACKRONYM) NASL family Web Servers NASL id OPENSSL_1_0_2D.NASL description According to its banner, the remote host is running a version of OpenSSL 1.0.2 prior to 1.0.2d. It is, therefore, affected by the following vulnerabilities : - A certificate validation bypass vulnerability exists due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. (CVE-2015-1793) - A race condition exists in s3_clnt.c that is triggered when PSK identity hints are incorrectly updated in the parent SSL_CTX structure when they are received by a multi-threaded client. A remote attacker can exploit this, via a crafted ServerKeyExchange message, to cause a double-free memory error, resulting in a denial of service. (CVE-2015-3196) last seen 2020-06-01 modified 2020-06-02 plugin id 84637 published 2015-07-09 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84637 title OpenSSL 1.0.2 < 1.0.2d Multiple Vulnerabilities NASL family CISCO NASL id CISCO-SA-CSCUV26213-ASA-CX.NASL description The remote ASA Next-Generation Firewall (NGFW) host is missing a security patch. It is, therefore, affected by a certificate validation bypass vulnerability in the bundled version of OpenSSL. The vulnerability exists due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. last seen 2020-06-01 modified 2020-06-02 plugin id 86104 published 2015-09-23 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86104 title Cisco ASA Next-Generation Firewall OpenSSL Alternative Chains Certificate Forgery (cisco-sa-20150710-openssl) NASL family CISCO NASL id CISCO-SA-20150710-OPENSSL-VSG.NASL description The remote Cisco Virtual Security Gateway device is affected by a certificate validation bypass vulnerability in the bundled OpenSSL library due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains in cases where the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. last seen 2020-06-01 modified 2020-06-02 plugin id 85685 published 2015-08-28 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85685 title Cisco Virtual Security Gateway OpenSSL Alternative Certificate Validation Bypass (cisco-sa-20150710-openssl) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201507-15.NASL description The remote host is affected by the vulnerability described in GLSA-201507-15 (OpenSSL: Alternate chains certificate forgery) During certificate verification, OpenSSL attempts to find an alternative certificate chain if the first attempt to build such a chain fails. Impact : A remote attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 86084 published 2015-09-23 reporter This script is Copyright (C) 2015-2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86084 title GLSA-201507-15 : OpenSSL: Alternate chains certificate forgery NASL family Fedora Local Security Checks NASL id FEDORA_2015-11414.NASL description Security fix for CVE-2015-1793 high severity issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-07-14 plugin id 84690 published 2015-07-14 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84690 title Fedora 21 : openssl-1.0.1k-11.fc21 (2015-11414) NASL family Web Servers NASL id HPSMH_7_5_4.NASL description According to the web server last seen 2020-06-01 modified 2020-06-02 plugin id 90150 published 2016-03-24 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90150 title HP System Management Homepage < 7.5.4 Multiple Vulnerabilities (Logjam) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2015-564.NASL description During certificate verfification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and last seen 2020-06-01 modified 2020-06-02 plugin id 84647 published 2015-07-13 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84647 title Amazon Linux AMI : openssl (ALAS-2015-564) NASL family CGI abuses NASL id SPLUNK_625.NASL description According to its version number, the instance of Splunk hosted on the remote web server is Enterprise 5.0.x prior to 5.0.14, 6.0.x prior to 6.0.10, 6.1.x prior to 6.1.9, 6.2.x prior to 6.2.5, or Light 6.2.x prior to 6.2.5. It is, therefore, affected by the following vulnerabilities in the bundled OpenSSL library : - A denial of service vulnerability exists when processing an ECParameters structure due to an infinite loop that occurs when a specified curve is over a malformed binary polynomial field. A remote attacker can exploit this to perform a denial of service against any system that processes public keys, certificate requests, or certificates. This includes TLS clients and TLS servers with client authentication enabled. (CVE-2015-1788) - A denial of service vulnerability exists due to improper validation of the content and length of the ASN1_TIME string by the X509_cmp_time() function. A remote attacker can exploit this, via a malformed certificate and CRLs of various sizes, to cause a segmentation fault, resulting in a denial of service condition. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks. (CVE-2015-1789) - A NULL pointer dereference flaw exists in the PKCS#7 parsing code due to incorrect handling of missing inner last seen 2020-06-01 modified 2020-06-02 plugin id 85581 published 2015-08-21 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85581 title Splunk Enterprise < 5.0.14 / 6.0.10 / 6.1.9 / 6.2.5 or Splunk Light < 6.2.5 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-2303-1.NASL description The mysql package was updated to version 5.5.46 to fixs several security and non security issues. - bnc#951391: update to version 5.5.46 - changes: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5- 46.html - fixed CVEs: CVE-2015-1793, CVE-2015-0286, CVE-2015-0288, CVE-2015-1789, CVE-2015-4730, CVE-2015-4766, CVE-2015-4792, CVE-2015-4800, CVE-2015-4802, CVE-2015-4815, CVE-2015-4816, CVE-2015-4819, CVE-2015-4826, CVE-2015-4830, CVE-2015-4833, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4862, CVE-2015-4864, CVE-2015-4866, CVE-2015-4870, CVE-2015-4879, CVE-2015-4890, CVE-2015-4895, CVE-2015-4904, CVE-2015-4905, CVE-2015-4910, CVE-2015-4913 - bnc#952196: Fixed a build error for ppc*, s390* and ia64 architectures. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 87525 published 2015-12-21 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87525 title SUSE SLED11 / SLES11 Security Update : mysql (SUSE-SU-2015:2303-1) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_075952FE267E11E59D033C970E169BC2.NASL description OpenSSL reports : During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and last seen 2020-06-01 modified 2020-06-02 plugin id 84651 published 2015-07-13 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84651 title FreeBSD : openssl -- alternate chains certificate forgery vulnerability (075952fe-267e-11e5-9d03-3c970e169bc2) NASL family Databases NASL id MYSQL_5_6_27.NASL description The version of MySQL running on the remote host is 5.6.x prior to 5.6.27. It is, therefore, potentially affected by the following vulnerabilities : - A certificate validation bypass vulnerability exists in the Security:Encryption subcomponent due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication. (CVE-2015-1793) - An unspecified flaw exists in the Client Programs subcomponent. A local attacker can exploit this to gain elevated privileges. (CVE-2015-4819) - An unspecified flaw exists in the Types subcomponent. An authenticated, remote attacker can exploit this to gain access to sensitive information. (CVE-2015-4826) - An unspecified flaws exist in the Security:Privileges subcomponent. An authenticated, remote attacker can exploit these to impact integrity. (CVE-2015-4830, CVE-2015-4864) - An unspecified flaw exists in the DLM subcomponent. An authenticated, remote attacker can exploit this to impact integrity. (CVE-2015-4879) - An unspecified flaw exists in the Server Security Encryption subcomponent that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2015-7744) Additionally, unspecified denial of service vulnerabilities can also exist in the following MySQL subcomponents : - DDL (CVE-2015-4815) - DML (CVE-2015-4858, CVE-2015-4862, CVE-2015-4905, CVE-2015-4913) - InnoDB (CVE-2015-4861, CVE-2015-4866, CVE-2015-4895) - libmysqld (CVE-2015-4904) - Memcached (CVE-2015-4910) - Optimizer (CVE-2015-4800) - Parser (CVE-2015-4870) - Partition (CVE-2015-4792, CVE-2015-4802, CVE-2015-4833) - Query (CVE-2015-4807) - Replication (CVE-2015-4890) - Security : Firewall (CVE-2015-4766) - Server : General (CVE-2016-0605) - Security : Privileges (CVE-2015-4791) - SP (CVE-2015-4836) - Types (CVE-2015-4730) last seen 2020-06-01 modified 2020-06-02 plugin id 86547 published 2015-10-22 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86547 title MySQL 5.6.x < 5.6.27 Multiple Vulnerabilities NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2015-190-01.NASL description New openssl packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 84646 published 2015-07-13 reporter This script is Copyright (C) 2015-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84646 title Slackware 14.0 / 14.1 / current : openssl (SSA:2015-190-01)
Packetstorm
data source https://packetstormsecurity.com/files/download/143369/orionbrowser79-mitm.txt id PACKETSTORM:143369 last seen 2017-07-15 published 2017-07-14 reporter MaXe source https://packetstormsecurity.com/files/143369/Orion-Elite-Hidden-IP-Browser-Pro-7.9-OpenSSL-Tor-Man-In-The-Middle.html title Orion Elite Hidden IP Browser Pro 7.9 OpenSSL / Tor / Man-In-The-Middle data source https://packetstormsecurity.com/files/download/134250/rcvalle_accforgery.rb.txt id PACKETSTORM:134250 last seen 2016-12-05 published 2015-11-06 reporter Ramon de C Valle source https://packetstormsecurity.com/files/134250/OpenSSL-Alternative-Chains-Certificate-Forgery.html title OpenSSL Alternative Chains Certificate Forgery data source https://packetstormsecurity.com/files/download/132843/openssl_altchainsforgery_mitm_proxy.rb.txt id PACKETSTORM:132843 last seen 2016-12-05 published 2015-07-27 reporter Ramon de C Valle source https://packetstormsecurity.com/files/132843/OpenSSL-Alternative-Chains-Certificate-Forgery-MITM-Proxy.html title OpenSSL Alternative Chains Certificate Forgery MITM Proxy
The Hacker News
id | THN:222E7964C49D6C2FA7B49F28896E3933 |
last seen | 2018-01-27 |
modified | 2015-07-09 |
published | 2015-07-09 |
reporter | Mohit Kumar |
source | https://thehackernews.com/2015/07/openssl-vulnerability-ssl-certificate.html |
title | Critical OpenSSL Flaw Allows Hackers to Impersonate Any Trusted SSL Certificate |
References
- http://openssl.org/news/secadv_20150709.txt
- http://marc.info/?l=bugtraq&m=143880121627664&w=2
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10694
- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
- http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.securityfocus.com/bid/91787
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05184351
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05045763
- http://marc.info/?l=bugtraq&m=144370846326989&w=2
- http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.securityfocus.com/bid/75652
- http://fortiguard.com/advisory/2015-07-09-cve-2015-1793-openssl-alternative-chains-certificate-forgery
- http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-454058.htm
- http://www.fortiguard.com/advisory/2015-07-09-cve-2015-1793-openssl-alternative-chains-certificate-forgery
- https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04822825
- https://kc.mcafee.com/corporate/index?page=content&id=SB10125
- https://security.gentoo.org/glsa/201507-15
- http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2015-008.txt.asc
- https://www.freebsd.org/security/advisories/FreeBSD-SA-15:12.openssl.asc
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.561427
- http://www.securitytracker.com/id/1032817
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150710-openssl
- http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161782.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161747.html
- https://www.exploit-db.com/exploits/38640/
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes
- https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=9a0db453ba017ebcaccbee933ee6511a9ae4d1c8