FortiClient Vulnerability

OpenSSL CVE-2014-8275 Weak Encryption Vulnerability

Description

Severity: LowOpenSSL accepts several non-DER-variations of certificate signaturealgorithm and signature encodings. OpenSSL also does not enforce amatch between the signature algorithm between the signed and unsignedportions of the certificate. By modifying the contents of thesignature algorithm or the encoding of the signature, it is possibleto change the certificate's fingerprint.This does not allow an attacker to forge certificates, and does notaffect certificate verification or OpenSSL servers/clients in anyother way. It also does not affect common revocation mechanisms. Onlycustom applications that rely on the uniqueness of the fingerprintThis issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and0.9.8.OpenSSL 1.0.1 users should upgrade to 1.0.1k.OpenSSL 1.0.0 users should upgrade to 1.0.0p.OpenSSL 0.9.8 users should upgrade to 0.9.8zd.One variant of this issue was discovered by Antti Karjalainen andTuomo Untinen from the Codenomicon CROSS program and reported toOpenSSL on 1st December 2014 by NCSC-FI VulnerabilityCo-ordination. Another variant was independently reported to OpenSSLon 12th December 2014 by Konrad Kraszewski from Google. Furtheranalysis was conducted and fixes were developed by Stephen Henson ofthe OpenSSL core team.