Cisco ASA Next-Generation Firewall OpenSSL Alternative Chains Certificate Forgery (cisco-sa-20150710-openssl)
Medium Nessus Plugin ID 86104
SynopsisThe remote security device is missing a vendor-supplied security patch.
DescriptionThe remote ASA Next-Generation Firewall (NGFW) host is missing a security patch. It is, therefore, affected by a certificate validation bypass vulnerability in the bundled version of OpenSSL. The vulnerability exists due to a flaw in the X509_verify_cert() function in x509_vfy.c that is triggered when locating alternate certificate chains when the first attempt to build such a chain fails. A remote attacker can exploit this, by using a valid leaf certificate as a certificate authority (CA), to issue invalid certificates that will bypass authentication.
SolutionUpgrade to the relevant fixed version referenced in Cisco bug ID CSCuv26213.