#VU74148 Improper Verification of Cryptographic Signature in OpenSSL - CVE-2023-0465

Cybersecurity Help s.r.o.

Published: 2023-03-28 | Updated: 2023-10-11

Vulnerability identifier: #VU74148

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-0465

CWE-ID: CWE-347

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to an error when validating certificate policies in leaf certificates. A remote attacker that controls a malicious CA server can issue a certificate that will be validated by the application.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSL: 1.0, 1.0.0 - 1.0.0t, 1.0.1e-25.el7 - 1.0.1u, 1.0.2 - 1.0.2zg, 1.1.0 - 1.1.0l, 1.1.1 - 1.1.1t, 3.0.0 - 3.0.8, 3.1.0

External links
https://www.openssl.org/news/secadv/20230328.txt

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Ubuntu update for edk2

Dell NetWorker update for OpenSSL

Multiple vulnerabilities in Dell NetWorker and NetWorker Management Console

Multiple vulnerabilities in Dell PowerProtect Data Manager

Multiple vulnerabilities in IBM Events Operator

Amazon Linux AMI update for openssl

Multiple vulnerabilities in Dell RecoverPoint for Virtual Machines

Multiple vulnerabilities in IBM Event Streams

Multiple vulnerabilities in IBM Cloud Pak System