cancel
Showing results for 
Search instead for 
Did you mean: 

SSL: OpenSSL Alternative Chains Certificate Forgery Policy Bypass Vulnerability (CVE-2015-1793)

Hi Team,

After releasing the Signature update version: 9.8.15.5, We have receiving alert for this signature.

We have checked the pcap and found the below Signature matches the pcap data.

Someone help to confirm the alert is triggering for the false signature.

Signature#2
condition 1
 ssl-rsp-v3-certificate matches "(?{lang=pcre}\x06\x03\x55\x1D\x13(\x04.\x30|\x01..\x04.\x30).{10,}\x06\x03\x55\x1D\x13(\x04.\x30|\x01..\x04.\x30)[^\x00][^\x01])" ( case-sensitive )
Signature#3
condition 1
 pktsearch-rsp-text matches "(?{lang=pcre}\x06\x03\x55\x1D\x13(\x04.\x30|\x01..\x04.\x30).{10,}\x06\x03\x55\x1D\x13(\x04.\x30|\x01..\x04.\x30)\x00)" ( case-sensitive )
Signature#4
condition 1
 pktsearch-rsp-text matches "(?{lang=pcre}\x06\x03\x55\x1D\x13(\x04.\x30|\x01..\x04.\x30).{10,}\x06\x03\x55\x1D\x13(\x04.\x30|\x01..\x04.\x30)\x00)" ( case-sensitive )

PCAP Data:

40de85a0d9206fa20e936438257959bee9aad1dbc7246a8f94e89190cd51e297cfd279b4d6b6f65cc3d114e94b898cf8800f8dc74ececadc75571b92a6737f2e0aea436a6f9fde9c8af58c5cb115d0bb81c6a7cc04ca8b69788ce0ad1e793bc66516a2773b538a434f7d759a8b9019cce7952c069d42e78edf2f3d8c711cb1d26c962725ef9557a02420bcc70f89d17d1750be42453b0396fc7721284a942364eeaec74b56f8eedc96efc72becefaec1193d03c047d3fc7f7ac8c14888094df3c2b9ecb729cfec18f1ab2c8ea5da4a306434628cd0beefc884e913ceac9009e9d30fd8ba0005de308205da308203c2a0030201020202038d300d06092a864886f70d01010b05003081a23121301f06035504031318426c6f6f6d62657267207465726d696e616c205375624341310b30090603550406130255533111300f060355040813084e657720596f726b3111300f060355040713084e657720596f726b31153013060355040a130c426c6f6f6d62657267204c50310d300b060355040b13044e4449533124302206092a864886f70d0109011615636161646d696e40626c6f6f6d626572672e636f6d301e170d3137303831343030303030305a170d3237303831323030303030305a30819b310b30090603550406130255533111300f060355040813084e455720594f524b310c300a060355040713034e594331153013060355040a130c426c6f6f6d62657267204c50311c301a060355040b1313426c6f6f6d62657267204170706c69616e63653110300e06035504031307626133383033393124302206092a864886f70d01090116157664657361693740626c6f6f6d626572672e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100f191995883ed7695de8ebef46f48804453d754dbccc996193650d7bc341e0f41d94a8b27dd8a5436f01a14f87144c1c076f7fb1063b1f17073ddcf62d31ff459a7b920f13e5f8888e27910c1ec9ef42465ba1c6063e35f395199b683ee07b471f8e5df651173186fcd552d4dee10b19e75364a026da43a5f391d405bd64585301842da4a7976661f66f4d1d1b121301fcd16944bf5c3fb5b04a2e1562d49c01316cc108c69f7e5bc9c9bb999145e49f0e3802311bac71ff6909cdda227027739a1dd184690d3cb2fbd84d9d54d8382e7e3a1d7fb0407eb002016b437d8dd22fcbae5c0735e3a2dc305055e5c8af8c3fb5d94503139f496bd51619259505f20810203010001a382011d30820119300c0603551d130101ff04023000301d0603551d0e041604147c7d5c3891f6650b0d9ed4c976b9c2afdfb605563081d10603551d230481c93081c680145fe1b1ca2999a7a0099c199d88378faf4d6c9151a181aaa481a73081a4312330210603550403131a426c6f6f6d62657267207465726d696e616c20526f6f74204341310b30090603550406130255533111300f060355040813084e657720596f726b3111300f060355040713084e657720596f726b31153013060355040a130c426c6f6f6d62657267204c50310d300b060355040b13044e4449533124302206092a864886f70d0109011615636161646d696e40626c6f6f6d626572672e636f6d82010130160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d01010b050003820201006363ebd74b8536c6f05f97d233f2b1bd178bb08c47be301fad37d0dd5ddb75ae93b11664685e3ea82673d55664fa5c92977dac1f52e9aa78771071910080018ae1b400e05a8575af415e136656480b8f25d437bd5310bc22741ad812b82627f7e22b104e5ecf034720d6dda9c36c4aee893b0b8a28051fde1ce65a7925bfeab3612d5fe469970be0b79730997155cadef315892ee34ff85fba44f0f6ecf51a

Regards

BB

5 Replies

Re: SSL: OpenSSL Alternative Chains Certificate Forgery Policy Bypass Vulnerability (CVE-2015-1793)

Hi All,

We are in flooding of alerts. Could some help on this issue.

Regards

BB

Tags (1)
Highlighted
Reliable Contributor mjesmer
Reliable Contributor
Report Inappropriate Content
Message 3 of 6

Re: SSL: OpenSSL Alternative Chains Certificate Forgery Policy Bypass Vulnerability (CVE-2015-1793)

If you are looking for immediate support on the issue, contact the support line and get an SR opened.

 

I took a quick look at it with my limited knowledge on regular expressions and can see the first \x06\x03\x55\x1D\x13 does indeed repeat in your pcap... like i said this is just a preliminary browse through the pcap.

Re: SSL: OpenSSL Alternative Chains Certificate Forgery Policy Bypass Vulnerability (CVE-2015-1793)

We have already created SR but still it is investigation stage

 SR# 4-18479485041

Reliable Contributor petermason
Reliable Contributor
Report Inappropriate Content
Message 5 of 6

Re: SSL: OpenSSL Alternative Chains Certificate Forgery Policy Bypass Vulnerability (CVE-2015-1793)

Hi Bharani,

Are the host on your network vulnerable to this attack?

Which signature is being matched from the above list?

Regards

Peter

Re: SSL: OpenSSL Alternative Chains Certificate Forgery Policy Bypass Vulnerability (CVE-2015-1793)

Hi All,

 

Do we have any update on the signature yesterday?

 

regards

BB

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community