#VU103771 Improper authentication in OpenSSL - CVE-2024-12797


Vulnerability identifier: #VU103771

Vulnerability risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-12797

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to an error when using RFC7250 Raw Public Keys (RPKs) to authenticate a server. TLS and DTLS connections using raw public keys are vulnerable to man-in-middle attacks when server authentication failure is not detected by clients.

Note, the vulnerability can be exploited only when TLS clients explicitly enable RPK use by the server, and the server, likewise, enables sending of an RPK instead of an X.509 certificate chain.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenSSL: 3.0.0 - 3.0.15, 3.1.0 - 3.1.7, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.1, 3.3.2, 3.4.0


External links
https://github.com/openssl/openssl/commit/738d4f9fdeaad57660dcba50a619fafced3fd5e9
https://github.com/openssl/openssl/commit/798779d43494549b611233f92652f0da5328fbe7
https://github.com/openssl/openssl/commit/87ebd203feffcf92ad5889df92f90bb0ee10a699
https://openssl-library.org/news/secadv/20250211.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability