Bug 1970201 (CVE-2021-3601) - CVE-2021-3601 openssl: Certificate with CA:FALSE is accepted as valid CA cert
Summary: CVE-2021-3601 openssl: Certificate with CA:FALSE is accepted as valid CA cert
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2021-3601
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1971525 1950376
TreeView+ depends on / blocked
 
Reported: 2021-06-10 05:00 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-06-21 07:50 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way OpenSSL will accept a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA if it is present in the trusted bundle. This flaw allows an attacker with access to a private key, of which the corresponding certificate is in the trust bundle, to use this flaw for MITM to any connection from the victim machine.
Clone Of:
Environment:
Last Closed: 2021-06-15 15:04:25 UTC


Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2021-06-10 05:00:34 UTC
OpenSSL 1.0.2 will accept a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA if it is present in the trusted bundle.

Upstream bug: https://github.com/openssl/openssl/issues/5236

The exploitability of this bug is limited; the attacker needs to get access to a private key of which the corresponding certificate is in the trust bundle; but if, as an administrator, I want my machine to trust a specific self-signed certificate, that's precisely what I need to do. Then the attacker is able to leverage this certificate to MITM any connection from my machine, not just ones to the specific server that uses the self-signed certificate.

Comment 3 Product Security DevOps Team 2021-06-15 15:04:25 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3601


Note You need to log in before you can comment on or make changes to this bug.