OpenSSL Alternative Chains Certificate Forgery Security Bypass Vulnerability (CVE-2015-1793)

  Severity: CRITICAL
  CVE Identifier: CVE-2015-1793
  Advisory Date: JUL 09, 2015

  DESCRIPTION

A certificate forgery security bypass has been reported in OpenSSL. This is due to incorrectly implemented certificate verification in OpenSSL. An attacker could use a crafted certificate to bypass certain checks. Successful exploitation could allow a remote attacker to bypass intended access restrictions.

  TREND MICRO PROTECTION INFORMATION

Vulnerability Protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rules:

  • 1006855 – OpenSSL Alternative Chains Certificate Forgery Security Bypass Vulnerability (CVE-2015-1793)
  • 1006856 – OpenSSL Client Alternative Chains Certificate Forgery Security Bypass Vulnerability (CVE-2015-1793)

  SOLUTION

  AFFECTED SOFTWARE AND VERSION

  • OpenSSL 1.0.2c
  • OpenSSL 1.0.2b
  • OpenSSL 1.0.1n
  • OpenSSL 1.0.1o