Ddos 
A high-severity vulnerability has been discovered in OpenSSL, a widely-used cryptography library that secures countless websites and online services. The vulnerability, tracked as CVE-2024-12797, affects the implementation of Raw Public Keys (RPKs), an alternative authentication method to traditional X.509 certificates.
The flaw could allow attackers to perform man-in-the-middle attacks by impersonating servers. “Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don’t abort as expected when the SSL_VERIFY_PEER verification mode is set,” OpenSSL’s advisory explains.
RPKs are disabled by default in OpenSSL, so the vulnerability only affects users who have explicitly enabled this feature. However, for those who do utilize RPKs, the consequences of a successful attack could be severe, potentially leading to data breaches and unauthorized access.
OpenSSL versions 3.4, 3.3, and 3.2 are vulnerable to this issue. The organization has released updated versions to address the flaw:
- OpenSSL 3.4 users should upgrade to OpenSSL 3.4.1.
- OpenSSL 3.3 users should upgrade to OpenSSL 3.3.2.
- OpenSSL 3.2 users should upgrade to OpenSSL 3.2.4.
It’s important to note that this vulnerability does not affect the FIPS modules in any OpenSSL version, nor does it impact OpenSSL 3.1, 3.0, 1.1.1, and 1.0.2.
The CVE-2024-12797 vulnerability was reported to OpenSSL by Apple Inc. on December 18, 2024. OpenSSL urges all users who have enabled RPKs to update their systems as soon as possible to mitigate the risk of exploitation.
Related Posts
- CVE-2022-3602: OpenSSL Remote Code Execution Vulnerability
- CVE-2023-2650: OpenSSL DoS Security Vulnerability
- OpenSSL change development strategy: switch to the GitHub issue to discuss the patch
- Critical Vulnerabilities in Bitdefender Total Security Expose Users to Man-in-the-Middle Attacks
About The Author
