000030741 - OpenSSL Vulnerability - Alternative Chains Certificate Forgery (CVE-2015-1793)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 14, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000030741
Applies ToAll RSA Products
OpenSSL versions 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c
IssueOpenSSL Vulnerability - Alternative Chains Certificate Forgery (CVE-2015-1793)
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.
For more information about the vulnerability, refer to the following posts:

ResolutionRSA is aware of and investigating this issue to identify the product impact. The level of impact may vary depending on the affected product. The following table contains the latest available impact information. This table will be updated as additional information becomes available.
 

RSA Product NameVersionsImpacted?DetailsLast Updated
3D Secure / Adaptive Authentication eCommerceAll SupportedNot Impacted 7/14/2015
Access ManagerAll SupportedNot ImpactedAxM does not use or ship OpenSSL as part of the product7/13/2015
Adaptive Authentication HostedAll SupportedNot Impacted 7/14/2015
Adaptive Authentication On-PremAll SupportedNot Impacted 7/14/2015
Archer HostedN/AImpactedArcher Mobile application uses SQLite library which utilizes OpenSSL library containing the X509_verify_cert function. Based on RSA’s analysis, Archer application is not believed to be exploitable as it does not use this function directly.7/20/2015
Archer PlatformAll SupportedImpactedArcher Mobile application uses SQLite library which utilizes OpenSSL library containing the X509_verify_cert function. Based on RSA’s analysis, Archer application is not believed to be exploitable as it does not use this function directly.7/20/2015
Archer SecOpsAll SupportedImpactedArcher Mobile application uses SQLite library which utilizes OpenSSL library containing the X509_verify_cert function. Based on RSA’s analysis, Archer application is not believed to be exploitable as it does not use this function directly.7/20/2015
Archer Vulnerability & Risk Manager (VRM)All SupportedImpactedArcher Mobile application uses SQLite library which utilizes OpenSSL library containing the X509_verify_cert function. Based on RSA’s analysis, Archer application is not believed to be exploitable as it does not use this function directly.7/20/2015
Authentication Manager Software Platform7.1.4Not ImpactedAM 7.1.4 does not use OpenSSL7/10/2015
Authentication Manager Appliance3.0.4Not ImpactedAM 3.0.4 does not use a vulnerable version of OpenSSL7/10/2015
Authentication Manager Appliance8.1.1Not ImpactedAM 8.1.1 does not use a vulnerable version of OpenSSL7/10/2015
Authentication Manager Express1.0Not Impacted 7/15/2015
BSAFE: MESAll SupportedNot Impacted 7/13/2015
BSAFE: SSL-CAll SupportedNot Impacted 7/13/2015
BSAFE: SSL-JAll SupportedNot Impacted 7/13/2015
Data Loss Prevention9.5.x & 9.6.xNot ImpactedThe affected OpenSSL versions are not shipped with DLP7/15/2015
Data Protection ManagerAll SupportedNot ImpactedDPM uses OpenSSL 0.9.8 which is not affected by this issue7/14/2015
DCS: Certificate ManagerAll SupportedNot ImpactedCertificate Manager does not use OpenSSL7/13/2015
DCS: Validation ManagerAll SupportedNot ImpactedValidation Manager does not use OpenSSL7/13/2015
ECATAll SupportedNot ImpactedECAT does not use OpenSSL for certificate chain verification7/14/2015
enVisionAll SupportedNot ImpactedenVision does not use OpenSSL7/10/2015
Federated Identity ManagerAll SupportedNot ImpactedAxM does not use or ship OpenSSL as part of the product7/13/2015
FraudActionAll SupportedInvestigating 7/10/2015
IMG (Aveksa) MyAccess LiveAll SupportedNot Impacted 7/14/2015
IMG (Aveksa) On-Prem PlatformAll SupportedNot Impacted 7/14/2015
IMG (Aveksa) ApplianceAll SupportedNot ImpactedAppliance ships with SUSE which includes OpenSSL, however this issue does not apply to SUSE7/14/2015
IMG (Aveksa) StealthAuditAll SupportedNot Impacted 7/14/2015
Netwitness9.8.xNot ImpactedNetwitness runs on centOS 6 which is based on RHEL6, and RHEL6 is not vulnerable as per RedHat7/10/2015
Netwitness Informer2.0Not ImpactedInformer does not use vulnerable OpenSSL library7/13/2015
Netwitness Spectrum1.1Not ImpactedNetwitness runs on centOS 6 which is based on RHEL6, and RHEL6 is not vulnerable as per RedHat7/10/2015
RSA CentralAll SupportedInvestigating 7/10/2015
RSA Live InfrastructureAll SupportedNot ImpactedSA Live runs on centOS 6 which is based on RHEL6, and RHEL6 is not vulnerable as per RedHat7/13/2015
SecurID Agent for PAMAll SupportedNot ImpactedAgent does not use OpenSSL or do certificate verification7/15/2015
SecurID Agent for WebAll SupportedNot ImpactedAgent does not use OpenSSL or do certificate verification7/15/2015
SecurID Agent for WindowsAll SupportedNot ImpactedAgent does not use OpenSSL or do certificate verification7/15/2015
SecurID Authentication EngineAll SupportedNot ImpactedSAE does not use OpenSSL or do certificate verification7/15/2015
SecurID Authentication SDKAll SupportedNot ImpactedSDK does not use OpenSSL or do certificate verification7/15/2015
SecurID Software Token ConverterAll SupportedNot ImpactedToken Converter does not use OpenSSL or do certificate verification7/15/2015
SecurID Software Token for AndroidAll SupportedNot ImpactedSoftware Token for Android does not use OpenSSL7/20/2015
SecurID Software Token for BlackberryAll SupportedImpactedSoftware Token for Android uses OpenSSL but does not utilize the vulnerable X509 certificate validation. Based on RSA’s analysis, the product is not believed to be exploitable.7/20/2015
SecurID Software Token for DesktopAll SupportedInvestigating 7/10/2015
SecurID Software Token for iPhoneAll SupportedNot ImpactedSoftware Token for iPhone does not use OpenSSL7/20/2015
SecurID Software Token for Windows MobileAll SupportedInvestigating 7/10/2015
SecurID Software Token ToolbarAll SupportedInvestigating 7/10/2015
SecurID Software Token Web SDKAll SupportedInvestigating 7/10/2015
SecurID Transaction Signing SDKAll SupportedInvestigating 7/10/2015
Security Analytics Platform
   Physical and Virtual Appliances
10.0.x-10.5.xNot ImpactedSA runs on centOS 6 which is based on RHEL6, and RHEL6 is not vulnerable as per RedHat7/10/2015
Security Analytics Malware Analytics10.0.x-10.5.xNot ImpactedSA runs on centOS 6 which is based on RHEL6, and RHEL6 is not vulnerable as per RedHat7/10/2015
Security Analytics Malware CloudN/ANot ImpactedMA Cloud runs on centOS 6 which is based on RHEL6, and RHEL6 is not vulnerable as per RedHat7/13/2015
Security Analytics (Windows Legacy Collector)10.0.x-10.5.xNot ImpactedWindows Legacy Collector does not use vulnerable OpenSSL library7/13/2015
Security Analytics Warehouse (DCA Pivotal) Not ImpactedWarehouse runs on centOS 6 which is based on RHEL6, and RHEL6 is not vulnerable as per RedHat7/13/2015
Security Analytics Warehouse (MapR) Not ImpactedWarehouse runs on centOS 6 which is based on RHEL6, and RHEL6 is not vulnerable as per RedHat7/13/2015
Web Threat Detection (SilverTail)All SupportedNot ImpactedWTD runs on centOS 6 which is based on RHEL6, and RHEL6 is not vulnerable as per RedHat7/13/2015
NotesDisclaimer
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC distributes RSA Security Advisories, in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes