Security Advisory - MITM Vulnerability in the OpenSSL Module of Huawei eSight Network
- SA No:Huawei-SA-20150919-01-OpenSSL
- Initial Release Date: Sep 19, 2015
- Last Release Date: Sep 19, 2015
During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed. This vulnerability could allow an attacker to launch man-in-the-middle (MITM) attacks and enable applications to regard invalid certificates as valid. (Vulnerability ID: HWPSIRT-2015-07033)
This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-1793.|
Product Name |
Affected Version |
Resolved Product and Version |
|
eSight Network |
V300R003C10SPC100 |
V300R003C10SPC201 |
The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).
Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Temporal Score: 5.3 (E:F/RL:O/RC:C)1. Prerequisite:
The attacker can intercept the communication data between the two communication parties.
2. Attacking procedure:
During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed.
This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.
For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.
None
