Alternative chains certificate forgery (CVE-2015-1793)
| Advisory ID | CVE Number | Date discovered | Severity | Advisory revision |
|---|---|---|---|---|
| STORM-2015-008 | CVE-2015-1793 | 07/09/2015 | high | v2 |
Vulnerability details
During certificate verification, OpenSSL attempts to find an alternative certificate chain if the first attempt to build such a chain fails. Because of an error of implementation of this process, an attacker could cause this flaw to bypass certain checks on untrusted certificates, such as the CA flag, enabling these checks to use a valid leaf certificate to act as a CA and “issue” an invalid certificate.
This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
Impacted products
| Products | Severity | Detail |
|---|---|---|
| Stormshield Network Security | high | SNS uses a vulnerable version of OpenSSL |
| Netasq | high | Netasq uses a vulnerable version of OpenSSL |
Revisions
| Version | Date | Description |
|---|---|---|
| v1 | 07/15/2015 | Initial release |
| v2 | 07/27/2015 | New workaround for SNS and Netasq |
Stormshield Network Security |
CVSS v2 Overall Score: 7.5
|
Analysis |
Impacted version |
|
Webadmin, authentication portal and ssl vpn portal are vulnerable because they use client certificate authentication. SSL proxy can also trust malicious clients and servers. |
|
Workaround solution |
Solution |
|
SSL client certificate authentication can be disabled in the Webadmin, authentication portal and ssl vpn. There is no workaround solution for the ssl proxy. |
The v1.3.4 and v2.1.2 will fix this vulnerability. |
| Access vector | Access complexity | Authentication | Confidentiality impact | Integrity impact | Availability impact |
|---|---|---|---|---|---|
| Network | Low | None | Partial | Partial | None |
| CVSS Base score: 6.4 | CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N) |
| Exploitability | Remediation Level | Report Confidence |
|---|---|---|
| High | Unavailable | Confirmed |
| CVSS Temporal score: 6.4 | CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:H/RL:U/RC:C) |
| Collateral Damage Potential | Target Distribution |
|---|---|
| Low-Medium | High [76-100%] |
| CVSS Environmental score: 7.5 | CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:H/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND) |
Netasq |
CVSS v2 Overall Score: 7.5
|
Analysis |
Impacted version |
|
Webadmin, authentication portal and ssl vpn portal are vulnerable because they use client certificate authentication. SSL proxy can also trust malicious clients and servers. |
|
Workaround solution |
Solution |
|
SSL client certificate authentication can be disabled in the Webadmin, authentication portal and ssl vpn. There is no workaround solution for the ssl proxy |
The v9.1.5.3 will fix this vulnerability |
| Access vector | Access complexity | Authentication | Confidentiality impact | Integrity impact | Availability impact |
|---|---|---|---|---|---|
| Network | Low | None | Partial | Partial | None |
| CVSS Base score: 6.4 | CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N) |
| Exploitability | Remediation Level | Report Confidence |
|---|---|---|
| High | Unavailable | Confirmed |
| CVSS Temporal score: 6.4 | CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:H/RL:U/RC:C) |
| Collateral Damage Potential | Target Distribution |
|---|---|
| Low-Medium | High [76-100%] |
| CVSS Environmental score: 7.5 | CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:H/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND) |