OPENSSL Patches Certification Validation Vulnerability

Yet Another critical Flaw and Critical Patch

openssl bug

 

 

 

 

 

 

 

 

 

 

 

The flaw reported two weeks ago by a Google researcher Adam Langley and BoringSSL’s David Benjamin, affects OpenSSL 1.0.1 and 1.0.2. The flaw have been patched by OpenSSL.

OpenSSL CHANGES

Alternate chains certificate forgery

During certificate verfification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate.

This issue was reported to OpenSSL by Adam Langley/David Benjamin
(Google/BoringSSL).
[Matt Caswell]

This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication

It’s a bad bug, but only affects anyone who installed the release from June says OpenSSL development team… It’s a bad bug, but the impact is low. We haven’t heard any reports of it being used in production.

In an advisory OpenSSL said:

During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could use certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and ‘issue’ an invalid certificate.

Author: Shivniel Gounder

TheGeek : Writes about information security, privacy, cybersecurity and latest tech gadgets and more.

Share This Post On
Try Wrike: fast, easy, and efficient project collaboration software

Submit a Comment

%d bloggers like this: