Alternative chains certificate forgery - CVE-2015-1793

Recently OpenSSL announced a security certificate bug detailed in CVE-2015-1793 where the X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 basicConstraints CA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate

KEMP has determined that all Loadmasters are NOT affected by this bug as the affected versions of OpenSSL have never run within our LoadMaster products.  

For further information on this vulnerability please see 

https://www.openssl.org/news/secadv_20150709.txt

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1793

KEMP is committed to resolving security vulnerabilities carefully and quickly.  If you think you have found a security flaw in a KEMP product, please send all supporting information to securityalert@kemptechnologies.com.

Was this article helpful?

1 out of 1 found this helpful

Comments