PSIRT Advisory

CVE-2015-1793 OpenSSL "Alternative Chains Certificate Forgery"

Description

OpenSSL released a security advisory in July 2015 to announce a high severity vulnerability affecting any application that verifies certificates with OpenSSL.
In certain conditions, an attacker owning a valid certificate (eg: a certificate for her personal website, signed by legitimate Certification Authorities) could leverage this vulnerability to act as a CA and "issue" certificates (in other words: sign forged certificates that would then appear legitimate to a vulnerable peer).
OpenSSL notes that this concerns SSL clients (when verifying a server's certificates) but also SSL servers when verifying a client's certificate, in the rarer occurrence of client authentication in the SSL handshake.

Impact

Certificate Forgery

Affected Products

Fortinet products themselves are not impacted.

Solutions

Do not connect to any SSL server (even nonimpacted) from a vulnerable client.