SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VoIP)  >   Cisco Unified Communications Manager (CallManager) Vendors:   Cisco
(Cisco Issues Advisory for Cisco Unified Communications Manager) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
SecurityTracker Alert ID:  1032878
SecurityTracker URL:  http://securitytracker.com/id/1032878
CVE Reference:   CVE-2015-1793   (Links to External Site)
Date:  Jul 13 2015
Impact:   Modification of authentication information
Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in OpenSSL. A remote user can bypass certificate validation on the target system. Cisco Unified Communications Manager is affected.

When the validation of a certificate chain fails, the system attempts to validate an alternate certificate chain but does not check the CA flag of untrusted certificates. As a result, a remote user can cause the target system to validate an invalid certificate using a valid leaf certificate.

Applications that verify certificates are affected.

SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication are affected.

The vendor was notified on June 24, 2015.

Adam Langley/David Benjamin (Google/BoringSSL) reported this vulnerability.

Impact:   A remote user can bypass certificate validation on the target system.
Solution:   Cisco has issued an advisory for Cisco Unified Communications Manager (UCM) and Cisco UCM Session Management Edition (SME).

The vendor has assigned bug ID CSCuv26281 to this vulnerability.

The Cisco advisory is available at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150710-openssl

Vendor URL:  openssl.org/news/secadv_20150709.txt (Links to External Site)
Cause:   Authentication error

Message History:   This archive entry is a follow-up to the message listed below.
Jul 9 2015 OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC