Bug 1238619 (CVE-2015-1793)

Summary: CVE-2015-1793 openssl: alternative chains certificate forgery
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: carnil, devin, redhat-bugzilla, rz, sardella, security-response-team, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 1.0.1p, openssl 1.0.2d Doc Type: Bug Fix
Doc Text:
A flaw was found in the way OpenSSL verified alternative certificate chains. An attacker able to supply a certificate chain to an SSL/TLS or DTLS client or an SSL/TLS or DTLS server using client authentication could use this flaw to bypass certain checks in the verification process, possibly allowing them to use one of the certificates in the supplied certificate chain as a CA certificate to generate an invalid certificate.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-13 09:02:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1241544    
Bug Blocks: 1238620    
Attachments:
Description Flags
Main patch
none
Followup patch 1
none
Followup patch 2 none

Description Huzaifa S. Sidhpurwala 2015-07-02 09:52:37 UTC 
The following was reported by OpenSSL upstream:

During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.

This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.

This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.

OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p

This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project.
Comment 1 Huzaifa S. Sidhpurwala 2015-07-02 09:54:32 UTC 
Created attachment 1045431 [details]
Main patch
Comment 2 Huzaifa S. Sidhpurwala 2015-07-02 09:55:02 UTC 
Created attachment 1045432 [details]
Followup patch 1
Comment 3 Huzaifa S. Sidhpurwala 2015-07-02 09:55:29 UTC 
Created attachment 1045433 [details]
Followup patch 2
Comment 4 Huzaifa S. Sidhpurwala 2015-07-02 09:56:11 UTC 
Statement:

Not vulnerable. This issue does not affect any version of the OpenSSL package as shipped with Red Hat Enterprise Linux 4, 5, 6 and 7, JBoss Enterprise Application Platform 6, Red Hat JBoss Enterprise Web Server 1 and 2, and Red Hat JBoss Web Server 3 because they did not include support for alternative certificate chains.
Comment 5 Huzaifa S. Sidhpurwala 2015-07-06 04:09:55 UTC 
Acknowledgements:

Red Hat would like to thank OpenSSL upstream for reporting this issue. Upstream acknowledges Adam Langley of Google and David Benjamin of BoringSSL as the original reporters.
Comment 7 Martin Prpič 2015-07-09 12:49:28 UTC 
External References:

http://openssl.org/news/secadv_20150709.txt
Comment 8 Martin Prpič 2015-07-09 12:52:41 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1241544]
Comment 9 Martin Prpič 2015-07-09 13:21:13 UTC 
FeedHenry advisory covering impact on multi-tenant SaaS offerings:

http://feedhenrystatus.com/2015/07/09/security-advisory-cve-2015-1793/
Comment 10 Mark J. Cox 2015-07-09 13:22:36 UTC 
Note, for clarity, the first affected upstream versions 1.0.1n and 1.0.2b were released on June 11th 2015.
Comment 11 Tomas Hoger 2015-07-09 13:39:32 UTC 
Upstream commits in 1.0.1 branch:

Main patch:
http://git.openssl.org/?p=openssl.git;a=commitdiff;h=9a0db453ba017ebcaccbee933ee6511a9ae4d1c8

Test case:
http://git.openssl.org/?p=openssl.git;a=commitdiff;h=d42d1004332f40c1098946b0804791fd3da3e378

Follow-up patches:
http://git.openssl.org/?p=openssl.git;a=commitdiff;h=b3b1eb5735c5b3d566a9fc3bf745bf716a29afa0
http://git.openssl.org/?p=openssl.git;a=commitdiff;h=cb22d2ae5a5b6069dbf66dbcce07223ac15a16de

Alternate chains handling, and hence this vulnerability, was introduced to 1.0.1 branch via the following commit:
http://git.openssl.org/?p=openssl.git;a=commitdiff;h=f7bf8e02dfcb2c02bc12a59276d0a3ba43e6c204

Related upstream bug reports:
https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
https://rt.openssl.org/Ticket/Display.html?id=3637&user=guest&pass=guest
Comment 12 Tomas Hoger 2015-07-09 13:44:20 UTC 
Current Fedora versions are affected, as the alternative chain handling code was backported to F21 and F22:

http://pkgs.fedoraproject.org/cgit/openssl.git/commit/?id=fc6854bd38f0a020118914e09bb7ef00964a9435
https://bugzilla.redhat.com/show_bug.cgi?id=1166614