cbcvebase.
CVE-2015-1789
published 2015-06-12

CVE-2015-1789: The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote…

PriorityP354high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
74.48%
99.4th percentile
The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback.

Affected

47 ranges· showing 25
VendorProductVersion rangeFixed in
appleos_x_yosemite_v10.10.5_and_security_update_2015-006
ciscoproducts
debianopenssl< openssl 1.0.2b-1 (bookworm)openssl 1.0.2b-1 (bookworm)
opensslopenssl<= 0.9.8zf
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://crashes.fuzzing-project.org/openssl-verify-oob.crt
pathcrypto/x509/x509_vfy.c
hashf5ae7d8d02dc7211a82cb727918baae6
hash292726fb9abbae19428821c29530737b
hashd2297a7b948c943f43c5f05f13038198
hashb43a116c22e3107f3cc94afb6396f07a
  • Trigger condition: crafted length field in ASN1_TIME data sent via malformed X.509 certificate or CRL causes out-of-bounds read in X509_cmp_time(); monitor for application crashes during certificate/CRL validation.
  • Attack surface includes TLS clients performing CRL verification and TLS servers/clients with client authentication enabled using custom verification callbacks.
  • Exploitation results in segmentation fault / application crash (DoS); monitor for unexpected crashes in processes performing certificate or CRL parsing.
  • ·Vulnerable OpenSSL versions: 0.9.8 before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, 1.0.2 before 1.0.2b; fixed versions are 1.0.2b, 1.0.1n, 1.0.0s, 0.9.8zg.
  • ·Exploitation is only demonstrated against servers supporting client authentication with a custom verification callback; default configurations without custom callbacks have reduced exposure.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_cisco7.8HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.