1970201 – (CVE-2021-3601) CVE-2021-3601 openssl: Certificate with CA:FALSE is accepted as valid CA cert

Bug 1970201 (CVE-2021-3601) - CVE-2021-3601 openssl: Certificate with CA:FALSE is accepted as valid CA cert

Summary: CVE-2021-3601 openssl: Certificate with CA:FALSE is accepted as valid CA cert

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2021-3601
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1950376 1971525
TreeView+	depends on / blocked

Reported:	2021-06-10 05:00 UTC by Huzaifa S. Sidhpurwala
Modified:	2021-06-21 07:50 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the way OpenSSL will accept a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA if it is present in the trusted bundle. This flaw allows an attacker with access to a private key, of which the corresponding certificate is in the trust bundle, to use this flaw for MITM to any connection from the victim machine.
Clone Of:
Environment:
Last Closed:	2021-06-15 15:04:25 UTC
Embargoed:

Attachments	(Terms of Use)

Description Huzaifa S. Sidhpurwala 2021-06-10 05:00:34 UTC

OpenSSL 1.0.2 will accept a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA if it is present in the trusted bundle.

Upstream bug: https://github.com/openssl/openssl/issues/5236

The exploitability of this bug is limited; the attacker needs to get access to a private key of which the corresponding certificate is in the trust bundle; but if, as an administrator, I want my machine to trust a specific self-signed certificate, that's precisely what I need to do. Then the attacker is able to leverage this certificate to MITM any connection from my machine, not just ones to the specific server that uses the self-signed certificate.

Comment 3 Product Security DevOps Team 2021-06-15 15:04:25 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3601

Note You need to log in before you can comment on or make changes to this bug.