OpenSSL has addressed a critical security flaw identified as CVE-2024-12797, which was discovered by Apple researchers. This vulnerability could allow man-in-the-middle attacks due to improper server authentication checks in certain configurations.

Understanding the OpenSSL Vulnerability

The OpenSSL library, which is crucial for secure communications over computer networks, implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The identified flaw affects TLS/DTLS connections that utilize RFC7250 raw public keys (RPKs) when server authentication checks fail in SSL_VERIFY_PEER mode.

Technical Details

The vulnerability, reported on December 18th, 2024, impacts TLS clients that have explicitly enabled RPKs and depend on SSL_VERIFY_PEER for authentication. Notably, RPKs are disabled by default in both TLS clients and servers, mitigating the risk for most users.

  • Impact: The flaw affects TLS clients that use RPKs and rely on SSL_VERIFY_PEER for server authentication.
  • Resolution: The issue has been fixed in OpenSSL versions 3.4.1, 3.3.2, and 3.2.4.

Mitigation and Recommendations

To mitigate this vulnerability, clients that enable server-side raw public keys should verify the failure of raw public key verification using the SSL_get_verify_result() function. This vulnerability was introduced with the initial implementation of RPK support in OpenSSL 3.2.

Previous OpenSSL Vulnerabilities

In November 2022, OpenSSL addressed other high-severity vulnerabilities, CVE-2022-3602 and CVE-2022-3786, which involved buffer overrun issues in X.509 certificate verification. These flaws could potentially lead to denial of service or remote code execution.

  • CVE-2022-3786: Allows overflow of bytes using a crafted email address in a certificate.
  • CVE-2022-3602: Enables overflow of four attacker-controlled bytes on the stack.
The link has been copied!