CVE-2015-5894

Vulnerability

The X.509 certificate-trust implementation in Apple OS X before version 10.11 does not correctly handle the kSecRevocationRequirePositiveResponse flag. When this flag is set, the system should require a positive response from the revocation server to trust a certificate. However, the implementation does not recognize that setting this flag implies a mandatory revocation-checking requirement. This flaw allows revoked certificates to be accepted as valid, undermining the trust model. Affected versions include all releases of OS X prior to 10.11 El Capitan [1].

Exploitation

An attacker with a privileged network position (such as a man-in-the-middle) can exploit this vulnerability by presenting a revoked certificate to the target system. The attacker must have access to a certificate that has been previously revoked by the issuing Certificate Authority. Because the system does not enforce revocation checking when the kSecRevocationRequirePositiveResponse flag is present, the revoked certificate is improperly trusted. No additional authentication or user interaction is required beyond network access [1].

Impact

Successful exploitation allows the attacker to impersonate trusted endpoints over secure connections. This can lead to interception or modification of encrypted communications, disclosure of sensitive data, and further compromise of the target system. The attacker effectively bypasses the intended certificate revocation mechanism, defeating a core security control for TLS/SSL and other X.509-based protocols [1].

Mitigation

The vulnerability is addressed in OS X 10.11 El Capitan, released on September 30, 2015. Users should upgrade to this version or later to remediate the issue. No official workarounds have been provided for systems that cannot be updated. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].