high
7
Advisory Published
Updated

REDHAT-BUG-2342757

First published: Wed Jan 29 2025(Updated: )

Severity: (High) Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections using raw public keys may be vulnerable to man-in-middle attacks when server authentication failure is not detected by clients. RPKs are disabled by default in both TLS clients and TLS servers. The issue only arises when TLS clients explicitly enable RPK use by the server, and the server, likewise, enables sending of an RPK instead of an X.509 certificate chain. The affected clients are those that then rely on the handshake to fail when the server's RPK fails to match one of the expected public keys, by setting the verification mode to SSL_VERIFY_PEER. Clients that enable server-side raw public keys can still find out that raw public key verification failed by calling SSL_get_verify_result(), and those that do, and take appropriate action, are not affected. This issue was introduced in the initial implementation of RPK support in OpenSSL 3.2. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 3.4, 3.3 and 3.2 are vulnerable to this issue. OpenSSL 3.4 users should upgrade to OpenSSL 3.4.1 once it is released. OpenSSL 3.3 users should upgrade to OpenSSL 3.3.2 once it is released. OpenSSL 3.2 users should upgrade to OpenSSL 3.2.4 once it is released. This issue was reported on 18th December 2024 by Apple Inc. The fix was developed by Viktor Dukhovni.

Affected SoftwareAffected VersionHow to fix
OpenSSL libcrypto>=3.2<3.4

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of REDHAT-BUG-2342757?

    The severity of REDHAT-BUG-2342757 is classified as High.

  • How do I fix REDHAT-BUG-2342757?

    To fix REDHAT-BUG-2342757, users should update OpenSSL to the latest version that addresses this vulnerability.

  • What software is affected by REDHAT-BUG-2342757?

    REDHAT-BUG-2342757 affects OpenSSL versions 3.2 to 3.4.

  • What is the impact of REDHAT-BUG-2342757?

    The impact of REDHAT-BUG-2342757 is that clients may not realize that a server is not authenticated when using RFC7250 Raw Public Keys.

  • Are TLS and DTLS connections vulnerable in REDHAT-BUG-2342757?

    Yes, TLS and DTLS connections are vulnerable under certain conditions related to the SSL_VERIFY_PEER verification mode.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203