cve/2014/CVE-2014-8275.md

CVE-2014-8275

Description

OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.

POC

Reference

• http://www.mandriva.com/security/advisories?name=MDVSA-2015:019
• http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
• http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
• http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
• http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
• http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

Github

• https://github.com/ARPSyndicate/cvemon
• https://github.com/akircanski/coinbugs
• https://github.com/chnzzh/OpenSSL-CVE-lib
• https://github.com/neominds/JPN_RIC13351-2
• https://github.com/uthrasri/CVE-2014-8275_openssl_g2.5
• https://github.com/uthrasri/Openssl_G2.5_CVE-2014-8275