[arch-security] [ASA-201507-12] lib32-openssl: man-in-the-middle

Levente Polyak anthraxx at archlinux.org
Mon Jul 13 15:04:53 UTC 2015


Arch Linux Security Advisory ASA-201507-12
==========================================

Severity: High
Date    : 2015-07-13
CVE-ID  : CVE-2015-1793
Package : lib32-openssl
Type    : man-in-the-middle
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package lib32-openssl before version 1.0.2.d-1 is vulnerable to
man-in-the-middle.

Resolution
==========

Upgrade to 1.0.2.d-1.

# pacman -Syu "lib32-openssl>=1.0.2.d-1"

The problem has been fixed upstream in version 1.0.2.d.

Workaround
==========

None.

Description
===========

During certificate verification, OpenSSL will attempt to find an
alternative certificate chain if the first attempt to build such a chain
fails. An error in the implementation of this logic can mean that an
attacker could cause certain checks on untrusted certificates to be
bypassed, such as the CA flag, enabling them to use a valid leaf
certificate to act as a CA and "issue" an invalid certificate.

This issue will impact any application that verifies certificates
including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client
authentication.

Impact
======

A remote attacker is able to use a valid leaf certificate to act as a CA
and "issue" an invalid certificate that behaves valid to possibly
perform a man-in-the-middle attack.

References
==========

https://openssl.org/news/secadv_20150709.txt
https://access.redhat.com/security/cve/CVE-2015-1793

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150713/7fa2c166/attachment.asc>


More information about the arch-security mailing list