OpenSSL Alternative Chains Certificate Forgery Security Bypass Vulnerability (CVE-2015-1793)

2015年8月11日

风险等级: 緊急

CVE标识符: : CVE-2015-1793

建议日期 : 2015年7月9日

描述

A certificate forgery security bypass has been reported in OpenSSL. This is due to incorrectly implemented certificate verification in OpenSSL. An attacker could use a crafted certificate to bypass certain checks. Successful exploitation could allow a remote attacker to bypass intended access restrictions.

保护信息

Vulnerability Protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rules:

1006855 – OpenSSL Alternative Chains Certificate Forgery Security Bypass Vulnerability (CVE-2015-1793)
1006856 – OpenSSL Client Alternative Chains Certificate Forgery Security Bypass Vulnerability (CVE-2015-1793)

解决方案

补丁: https://mta.openssl.org/pipermail/openssl-announce/2015-July/000037.html

受感染软件和版本:

OpenSSL 1.0.2c
OpenSSL 1.0.2b
OpenSSL 1.0.1n
OpenSSL 1.0.1o