60/68 Thursday, February 13, 2025
OpenSSL has released a patch addressing the high-severity vulnerability CVE-2024-12797, which was discovered by Apple. This flaw could allow Man-in-the-Middle (MitM) attacks. OpenSSL is a widely used cryptographic library that secures network communications by encrypting data and verifying identities. It supports Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The vulnerability affects TLS/DTLS clients that enable Raw Public Keys (RPKs) as specified in RFC7250 and use the SSL_VERIFY_PEER mode. Due to improper server authentication checks, attackers could impersonate servers and intercept encrypted communications. Apple discovered the vulnerability on December 18, 2024, and Viktor Dukhovni provided the fix.
This issue impacts OpenSSL versions 3.4, 3.3, and 3.2. However, since OpenSSL disables RPKs by default, only systems that explicitly enable this feature are affected. OpenSSL has released patched versions 3.4.1, 3.3.2, and 3.2.4 to resolve the problem. Users who have enabled RPKs can verify authentication by calling SSL_get_verify_result().
Previously, OpenSSL encountered two critical vulnerabilities in 2022—CVE-2022-3602 and CVE-2022-3786—both involving buffer overflow issues that allowed attackers to exploit email address validation in X.509 certificates, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE). These incidents highlight the importance of regularly updating security patches to mitigate emerging threats.
Source https://securityaffairs.com/174111/security/openssl-patched-the-vulnerability-cve-2024-12797.html
