Tech Solvency / The Story So Far / Alternative chains certificate forgery (CVE-2015-0793)



From the OpenSSL announcement:

During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails.

An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.


The vulnerability appears to exist only in OpenSSL releases that happened in June 2015 and later. That leaves a lot of Linux distributions relatively safe, since they haven't gotten an OpenSSL update in a while. Red Hat, CentOS and Ubuntu appear to be entirely unaffected by this vulnerability, since they had no OpenSSL updates since June 2015.

This kind of vulnerability allows man-in-the-middle attacks and could cause applications to see invalid and untrusted SSL certificates as valid. It essentially allows everyone to be come their own Certificate Authority (CA).

[...] If anyone manages to change either the DNS of your endpoint or modify the endpoint URL altogether, and point it to their own servers, your application may still accept it as a valid SSL/TLS stream.

From Ars Technica:

The flaw has the potential to be extremely serious, because in certain cases it makes it trivial to bypass the most popular - and in many cases, the only - form of encryption and cryptographic authentication available for websites, e-mail servers, and virtual private networks. The bug allows attackers to bypass certain checks that are supposed to be carried out when an end-user app is establishing an encrypted session with a server. As a result, the attacker can make an invalid certificate appear as if belongs to a trusted certificate authority and issue forged certificates for any website.

"The advisory makes it look pretty bad," Matt Green, a professor specializing in cryptography at Johns Hopkins University, told Ars. "If you can look like a CA, then you can issue a certificate for any site." [emphasis mine]

From Symantec:

The new Alternative Chains Certificate Forgery Vulnerability (CVE-2015-1793) was patched today in a security update issued by the OpenSSL project. The vulnerability relates to OpenSSL's certificate verification process. SSL certificates are issued in chains, moving from the root certificate authority (CA) through a number of intermediate CAs down to the end user certificate, known as the leaf certificate. If a connecting device cannot establish if a certificate has been issued by a trusted CA, it will move another step up the chain until it finds a trusted CA. If it doesn't, it will return an error message and a secure connection will be denied.

If the first attempt to build a chain of certificates fails, OpenSSL will attempt to find an alternative chain. The vulnerability results from an error in the implementation of this process, which could allow an attacker to bypass checks on untrusted CAs. This could allow an attacker to use a valid leaf certificate to act as a CA and issue invalid certificates, which will be accepted as trusted by the target.






Not affected

May be affected

Detection and testers


News and posts

Competing nickname ideas

Return to The Story So Far (list of notable security events)