The OpenSSL Project on Tuesday announced patches for the first high-severity vulnerability seen in the secure communications library in two years.
The vulnerability, tracked as CVE-2024-12797, was reported to OpenSSL developers by Apple in mid-December 2024.
The issue is related to clients using RFC7250 raw public keys (RPKs) to authenticate a server. CVE-2024-12797 was introduced in OpenSSL 3.2 with the implementation of RPK support.
Because handshakes don’t abort as expected when the ‘SSL_VERIFY_PEER’ verification mode is set, impacted clients could fail to notice that the server has not been authenticated.
If the authentication failure is not identified by the client, man-in-the-middle (MitM) attacks may be possible against TLS and DTLS connections that use RPKs.
“RPKs are disabled by default in both TLS clients and TLS servers. The issue only arises when TLS clients explicitly enable RPK use by the server, and the server, likewise, enables sending of an RPK instead of an X.509 certificate chain. The affected clients are those that then rely on the handshake to fail when the server’s RPK fails to match one of the expected public keys, by setting the verification mode to SSL_VERIFY_PEER,” the OpenSSL Project explained in its advisory.
“Clients that enable server-side raw public keys can still find out that raw public key verification failed by calling SSL_get_verify_result(), and those that do, and take appropriate action, are not affected,” it added.
OpenSSL 3.4, 3.3 and 3.2 are vulnerable. CVE-2024-12797 has been patched with the release of versions 3.4.1, 3.3.2 and 3.2.4.
The security of OpenSSL has evolved a great deal since the disclosure of the notorious Heartbleed vulnerability back in 2014.
In 2023 and 2024, a majority of the vulnerabilities found and patched in the project were low-severity issues. Two moderate and one high-severity flaws were fixed in 2023, and one moderate-severity bug was fixed in 2024 — the rest were low-severity bugs. The high-severity issue was addressed in February 2023, almost exactly two years ago.
Related: SAP Releases 21 Security Patches
Related: Intel Patched 374 Vulnerabilities in 2024
Related: Cisco Patches Critical Vulnerabilities in Enterprise Security Product
