CVE-2015-1793

high-risk

Published 2015-07-09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

Do I need to act?

!

76.4% chance of exploitation in next 30 days

EPSS score — higher than 24% of all CVEs

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

!

1 public exploit available

38640

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

6

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (10)

Supply Chain Products Suite

Jd Edwards Enterpriseone Tools

Openssl

Openssl

Opus 10G Ethernet Switch Family

Supply Chain Products Suite

Supply Chain Products Suite

Jd Edwards Enterpriseone Tools

Openssl

Openssl

Affected Vendors

Openssl Oracle

References (62)

http://fortiguard.com/advisory/2015-07-09-cve-2015-1793-openssl-alternative-chai...

http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2015-008.txt.asc

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10694

http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161747.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161782.html

http://marc.info/?l=bugtraq&m=143880121627664&w=2

http://marc.info/?l=bugtraq&m=144370846326989&w=2

Vendor Advisory http://openssl.org/news/secadv_20150709.txt

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20...

http://www.fortiguard.com/advisory/2015-07-09-cve-2015-1793-openssl-alternative-...

Patch http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html

Patch http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

Patch http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

http://www.securityfocus.com/bid/75652

http://www.securityfocus.com/bid/91787

http://www.securitytracker.com/id/1032817

and 42 more references

60

/ 100

high-risk

Severity 24/34 · High

Exploitability 20/34 · Moderate

Exposure 16/34 · Moderate