Certificate Verification Vulnerability

Severity Level: Medium
AppRisk Coverage: Yes
Type: Vulnerability
OWASP: M4: Unintended Data Leakage
Aliases:
Platform: Android
File size (bytes): N/A
Filename: N/A
App title: N/A
MD5 Hash: N/A
SHA1 hash: N/A
Affected CVE:

• CVE-2015-1793

Details or analysis:

The Certificate Verification Vulnerability, also known as CVE-2015-1793, was introduced in June 2015. The vulnerability affects OpenSSL versions 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c.

The Certificate Verification Vulnerability is a weakness that can misdirect users to a fake site by bypassing the correct website certificate verification process. The problem exists due to an incorrect implementation in how a certificate chain is verified as a result of a June 2015 OpenSSL update. The vulnerability makes it possible for an attacker to use a valid leaf certificate to act as a root certificate authority, and produce an invalid certificate.

Additional information

X509 (or identity) certificates: a certificate that has a public key and some identify for an entity. These can be end-entity certificates if they are at the end of the chain of verification.

Certificate Authority: a trusted website or organization that gives out certificate authority certificates that are signed with a key. Examples of such sites are Godaddy.com and VeriSign.

Root (or Certificate Authority, or CA) Certificates: a certificate containing the key of a certificate authority. This key cannot be checked by cryptographic computations and must be trusted.

Leaf (or end-entity) certificates: a certificate that has the public key and identity for an entity which is most often not a certificate authority, and they require verification to be valid. There can also be intermediate certificates that are not at the end or start of the chain that are similar to end-entity certificates.

The vulnerability was addressed as a “high severity” security update, and should be corrected in versions 1.0.1p and 1.0.2d. Exploitation of the vulnerability did not result in root access. The OpenSSL team that patched the issue indicated the fix was an additional line of code.

Analysis by: Dimtcho Dimov

Reference:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1793
• https://access.redhat.com/security/cve/cve-2015-1793