Critical OpenSSL Vulnerability Allow Hackers to Launch Man-in-the-Middle Attacks

The OpenSSL Project announced a high-severity vulnerability (CVE-2024-12797) affecting versions 3.2, 3.3, and 3.4 of the widely used cryptographic library. The vulnerability, discovered by Apple Inc. in December 2024, could potentially allow man-in-the-middle (MitM) attacks on TLS and DTLS connections that rely on raw public keys (RPKs) for server authentication. “The issue only arises when […] The post Critical OpenSSL Vulnerability Allow Hackers to Launch Man-in-the-Middle Attacks appeared first on Cyber Security News.

Feb 12, 2025 - 09:25

Critical OpenSSL Vulnerability Allow Hackers to Launch Man-in-the-Middle Attacks

The OpenSSL Project announced a high-severity vulnerability (CVE-2024-12797) affecting versions 3.2, 3.3, and 3.4 of the widely used cryptographic library.

The vulnerability, discovered by Apple Inc. in December 2024, could potentially allow man-in-the-middle (MitM) attacks on TLS and DTLS connections that rely on raw public keys (RPKs) for server authentication.

“The issue only arises when TLS clients explicitly enable RPK use by the server, and the server, likewise, enables sending of an RPK instead of an X.509 certificate chain.”

OpenSSL Vulnerability

The vulnerability stems from improper handling of server authentication failures during handshakes when using RFC7250 Raw Public Keys.

Specifically, clients using the SSL_VERIFY_PEER verification mode may fail to detect that a server is unauthenticated because the handshake does not abort as expected. This leaves connections vulnerable to MitM attacks when RPK verification fails.

RPKs are disabled by default in both TLS clients and servers, meaning this issue only affects systems where RPK functionality is explicitly enabled by both parties. The problem was introduced with the initial implementation of RPK support in OpenSSL 3.2.

“Clients that enable server-side raw public keys can still find out that raw public key verification failed by calling SSL_get_verify_result(), and those that do, and take appropriate action, are not affected.” OpenSSL advisory stated.

The flaw could allow attackers to intercept or manipulate communications between clients and servers in scenarios where authentication failure goes unnoticed.

However, clients that explicitly call SSL_get_verify_result() to check the verification status and take appropriate actions remain unaffected.

OpenSSL 3.4 (prior to version 3.4.1)
OpenSSL 3.3 (prior to version 3.3.2)
OpenSSL 3.2 (prior to version 3.2.4)

Older versions of OpenSSL (1.1.1, 1.0.2) and FIPS modules in versions 3.0 through 3.4 are not impacted by this issue.

“The affected clients are those that then rely on the handshake to fail when the server’s RPK fails to match one of the expected public keys, by setting the verification mode to SSL_VERIFY_PEER.”

Mitigation and Fix

The OpenSSL Project has released patches to address the vulnerability:

OpenSSL 3.4 users should upgrade to version 3.4.1.
OpenSSL 3.3 users should upgrade to version 3.3.2.
OpenSSL 3.2 users should upgrade to version 3.2.4.

Administrators are urged to apply these updates promptly to mitigate potential risks.

The fix for this vulnerability was developed by Viktor Dukhovni, following its report by Apple Inc.

This marks the first high-severity vulnerability disclosed in OpenSSL since February 2023, reflecting the project’s ongoing focus on improving security since major incidents like Heartbleed in 2014.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates

The post Critical OpenSSL Vulnerability Allow Hackers to Launch Man-in-the-Middle Attacks appeared first on Cyber Security News.