Critical OpenSSL vulnerability could allow attackers to intercept secure communications with the new Alternative Chains Certificate Forgery Vulnerability (CVE-2015-1793)

A critical new vulnerability in OpenSSL could allow attackers to intercept secure communications by tricking a targeted computer into accepting a bogus digital certificate as valid. This could facilitate man-in-the-middle (MITM) attacks, where attackers could listen in on connections with secure services such as banks or email services.

OpenSSL is one of the most widely used implementations of the SSL and TLS cryptographic protocols. Open-source software, it is used widely on internet-facing devices, including two thirds of all web servers.

The new Alternative Chains Certificate Forgery Vulnerability (CVE-2015-1793) was patched today in a security update issued by the OpenSSL project (http://www.openssl.org/news/secadv_20150709.txt) . The vulnerability relates to OpenSSL’s certificate verification process. SSL certificates are issued in chains, moving from the root certificate authority (CA) through a number of intermediate CAs down to the end user certificate, known as the leaf certificate. If a connecting device cannot establish if a certificate has been issued by a trusted CA, it will move another step up the chain until it finds a trusted CA. If it doesn’t, it will return an error message and a secure connection will be denied.

For more information please read the blog post at : http://www.symantec.com/connect/blogs/critical-openssl-vulnerability-could-allow-attackers-intercept-secure-communications