PSIRT Advisories

CVE-2015-1793 OpenSSL "Alternative Chains Certificate Forgery"

description-logo Description

OpenSSL released a security advisory in July 2015 to announce a high severity vulnerability affecting any application that verifies certificates with OpenSSL.
In certain conditions, an attacker owning a valid certificate (eg: a certificate for her personal website, signed by legitimate Certification Authorities) could leverage this vulnerability to act as a CA and "issue" certificates (in other words: sign forged certificates that would then appear legitimate to a vulnerable peer).
OpenSSL notes that this concerns SSL clients (when verifying a server's certificates) but also SSL servers when verifying a client's certificate, in the rarer occurrence of client authentication in the SSL handshake.

Impact Detail

Impacted products may be presented spoofed certificates (client or server) byan attacker, and trust them. In addition, vulnerable SSL clients connecting to non-impacted products(typically: with avulnerable browser) may be the victim of a man-in-the-middle attack leveragingthis vulnerability. Note that since they do not rely on OpenSSL, Internet Explorer, Firefox, Safari and Chrome are not impacted - it is thus safe for an administrator to connect to the WebUI of Fortinet products from those (over https, that is).

Affected Products

Fortinet products themselves are not impacted.

Solutions

Do not connect to any SSL server (even nonimpacted) from a vulnerable client.