AI description
CVE-2024-12797 is a vulnerability in OpenSSL related to the implementation of Raw Public Keys (RPKs), an alternative to traditional X.509 certificates for authentication. The flaw allows attackers to potentially execute man-in-the-middle (MITM) attacks by impersonating servers. Clients using RPKs for server authentication might not detect the impersonation because handshakes don't terminate as expected when the SSL\_VERIFY\_PEER verification mode is active. The vulnerability affects OpenSSL versions 3.2, 3.3, and 3.4. Recommended remediation involves updating to OpenSSL 3.2.4, 3.3.2, or 3.4.1, respectively. The vulnerability doesn't affect OpenSSL versions 3.0, 3.1, 1.1.1, 1.0.2, or FIPS modules. The issue was initially reported to OpenSSL by Apple Inc. in December 2024. The cryptography package, which includes OpenSSL, is also impacted by this vulnerability, and updating to version 44.0.1 or later is advised. If immediate updates are not feasible, building from source is a suggested temporary workaround.
- Description
- Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections using raw public keys may be vulnerable to man-in-middle attacks when server authentication failure is not detected by clients. RPKs are disabled by default in both TLS clients and TLS servers. The issue only arises when TLS clients explicitly enable RPK use by the server, and the server, likewise, enables sending of an RPK instead of an X.509 certificate chain. The affected clients are those that then rely on the handshake to fail when the server's RPK fails to match one of the expected public keys, by setting the verification mode to SSL_VERIFY_PEER. Clients that enable server-side raw public keys can still find out that raw public key verification failed by calling SSL_get_verify_result(), and those that do, and take appropriate action, are not affected. This issue was introduced in the initial implementation of RPK support in OpenSSL 3.2. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
- Source
- openssl-security@openssl.org
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 6.3
- Impact score
- 3.4
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
- Severity
- MEDIUM
- openssl-security@openssl.org
- CWE-392
- Hype score
- Not currently trending
⚠️ CVE-2024-12797: OpenSSL Vulnerable a Ataques MitM por Falla en Raw Public Key Authentication https://t.co/dHYAe8hFHg
@tpx_Security
14 Feb 2025
65 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
📢OpenSSL ออกแพตช์แก้ไขช่องโหว่ CVE-2024-12797🛠️ #ThaiCERT #NCSA #CybersecurityNew สามารถติดตามข่าวสารได้ที่ https://t.co/HCsLrrYz4c https://t.co/QEsxfJrHjV
@ThaiCERTByNCSA
13 Feb 2025
7 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
آسیب پذیری جدیدی از نوع mitm برای محصول openssl با کد شناسایی CVE-2024-12797 منتشر شده. نسخه های 3.4 و 3.3 و 3.2 و نسخه های پایین تر از این نسخه ها دارای این آسیب پذیری می باشند. برای پیشگیری به ترتیب به نسخه های 3.4.1 و 3.3.2 و 3.2.4 به روز رسانیکنید. https://t.co/Poz3aKY03t ht
@AmirHossein_sec
12 Feb 2025
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
High-Severity OpenSSL Vulnerability Found by Apple Allows MitM Attacks (CVE-2024-12797) https://t.co/nrk5yRkYrB #patchmanagement
@eyalestrin
12 Feb 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-12797 OpenSSL Vulnerability Patched #OpenSSH #CVE-2024-12797 https://t.co/06csGMk2J0
@pravin_karthik
12 Feb 2025
69 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-12797 – High-Severity OpenSSL Flaw: Update Now to Prevent MITM Attacks https://t.co/9GDr2GYiXY
@Dinosn
12 Feb 2025
3120 Impressions
11 Retweets
33 Likes
10 Bookmarks
0 Replies
0 Quotes
High-Severity OpenSSL Vulnerability CVE-2024-12797 The vulnerability identified by Apple in OpenSSL, tracked as CVE-2024-12797, is indeed a high-severity issue that poses significant risks, especially in terms of Man-in-the-Middle (MitM) attacks. https://t.co/9e9kXsEXlf
@roytrilok91
12 Feb 2025
56 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨 CVE-2024-12797:OpenSSL TLS/DTLS Raw Public Key Authentication Failure 📊 71M+ Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter Link:https://t.co/BcOtWFMO4G 👇Query HUNTER : https://t.co/q9rtuGgxk7="OpenSSL" FOFA : product="OpenSSL"… https://t.co/ddVUW
@HunterMapping
12 Feb 2025
1536 Impressions
5 Retweets
25 Likes
9 Bookmarks
0 Replies
0 Quotes
OpenSSL 3.4.1 > a #security patch release. The most severe #CVE fixed in this release is High. This release incorporates the following bug fixes and mitigations: * Fixed CVE-2024-12797 * Fixed CVE-2024-13176 Details: https://t.co/EvRW7LB7gR
@stevematindi
12 Feb 2025
8 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
OpenSSLで中間者攻撃を可能とする深刻な脆弱性が修正された。CVE-2024-12797はサーバ認証にRFC7250のraw形式公開鍵(RPK)を使用しているクライアント向けで、同機能が実装されたバージョン3.2での作り込み。同機能は既定では無効。 https://t.co/GKAraVOI5U SSL_VERIFY_PEERを設定していても… https://t.co/Ipie8gnAmR
@__kokumoto
11 Feb 2025
4136 Impressions
25 Retweets
65 Likes
19 Bookmarks
0 Replies
0 Quotes
OpenSSL patched high-severity flaw CVE-2024-12797 https://t.co/eGxGCyNMxr
@hackplayers
11 Feb 2025
665 Impressions
4 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
SIOSセキュリティブログを更新しました。 OpenSSLの脆弱性(High: CVE-2024-12797, Low: CVE-2024-13176) #sios_tech #security #vulnerability #セキュリティ #脆弱性 #linux #openssl https://t.co/nkfkBZnIKE
@omokazuki
11 Feb 2025
93 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-12797 Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don'… https://t.co/HOZukk25TU
@CVEnew
11 Feb 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes