CVE-2023-0465 – This vulnerability allows malicious Certificate... (How to Fix)

Q: What is the severity of CVE-2023-0465?

CVE-2023-0465 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows malicious Certificate Authorities to bypass certificate policy checks by including invalid policies in leaf certificates. When policy checking is enabled (non-default configuration), OpenSSL silently ignores invalid policies and skips all policy verification for that certificate. Only applications that explicitly enable certificate policy verification are affected.

📋 TL;DR

This vulnerability allows malicious Certificate Authorities to bypass certificate policy checks by including invalid policies in leaf certificates. When policy checking is enabled (non-default configuration), OpenSSL silently ignores invalid policies and skips all policy verification for that certificate. Only applications that explicitly enable certificate policy verification are affected.

💻 Affected Systems

Products:

OpenSSL

Versions: OpenSSL 3.0.0 to 3.0.8, 1.1.1 to 1.1.1t

Operating Systems: All operating systems using affected OpenSSL versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when certificate policy verification is explicitly enabled via -policy argument or X509_VERIFY_PARAM_set1_policies() function.

📦 What is this software?

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A malicious CA could issue certificates that bypass organizational policy restrictions, potentially allowing unauthorized access to sensitive systems or data.

🟠

Likely Case

Limited impact since policy checking is disabled by default; only affects applications with explicit policy verification enabled.

🟢

If Mitigated

No impact if policy checking remains disabled (default) or if patched versions are used.

🌐 Internet-Facing: LOW - Requires malicious CA and explicit policy configuration, making exploitation unlikely for most internet-facing systems.

🏢 Internal Only: LOW - Same constraints apply; requires specific configuration and malicious CA access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires control of a Certificate Authority and target system with policy checking enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenSSL 3.0.9, 1.1.1u

Vendor Advisory: https://www.openssl.org/news/secadv/20230530.txt

Restart Required: Yes

Instructions:

1. Update OpenSSL to version 3.0.9 or 1.1.1u. 2. Restart all services using OpenSSL. 3. Recompile any statically linked applications.

🔧 Temporary Workarounds

Disable policy checking

all

Ensure certificate policy verification is not enabled in application configurations

Remove -policy argument from OpenSSL command lines
Remove calls to X509_VERIFY_PARAM_set1_policies() in code

🧯 If You Can't Patch

Disable certificate policy verification in all applications
Implement additional certificate validation layers and monitor for anomalous certificates

🔍 How to Verify

Check if Vulnerable:

Check OpenSSL version with 'openssl version' and verify if policy checking is enabled in application configurations

Check Version:

openssl version

Verify Fix Applied:

Confirm OpenSSL version is 3.0.9+ or 1.1.1u+ with 'openssl version'

📡 Detection & Monitoring

Log Indicators:

Certificate validation failures with policy-related errors
Unexpected certificate acceptance events

Network Indicators:

Certificates with unusual policy OIDs from untrusted CAs

SIEM Query:

Search for OpenSSL policy verification errors or certificate validation anomalies

📊 Metadata

CVE ID: CVE-2023-0465

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-295

Published: March 28, 2023

Last Updated: February 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-0465, you might also want to check these: