On Thursday, July 9th the OpenSSL Project Team released a security advisory with the details and the patched versions of OpenSSL affected by the vulnerability called the “Alternative chains certificate forgery” (CVE-2015-1793).
The team had announced on their OpenSSL-announce mailing list on Monday, July 6th that there would be updates to the 1.0.1 and 1.0.2 versions of OpenSSL released on Thursday to address a single “high severity” defect that had been discovered.
As OpenSSL remains one of the critical software packages used for encryption for sites and services on the Internet, we urge our customers to update the OpenSSL packages on your systems where appropriate. As mentioned in their security advisory this vulnerability only affects four specific versions of OpenSSL (1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o) today. If you’re running some version of 1.0.0 or 0.9.8 still, you’re not at risk of this specific vulnerability, but the OpenSSL team points out that those versions of the product will no longer be supported after this year and they encourage users to upgrade.
The defect was an implementation error discovered in the certificate verification part of the client authentication process that’s used between SSL/TLS/DTLS clients and servers which could “…cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate”, according to the advisory.
While the world was poised for a massive response to this vulnerability, like “HeartBleed”, it turns out the affected versions of software aren’t as widely installed according to the various Linux distributor’s advisories (Amazon, Red Hat, Ubuntu, etc.) but we still recommend you evaluate your level of exposure and patch accordingly.
With CloudPassage Halo and SVA you can easily do a complete software inventory and vulnerability assessment and determine if you have any instances of the vulnerable software.
For more information on how to run the scan, click here.