Summary: The OpenSSL Project has announced a high-severity vulnerability (CVE-2024-12797) in its library, affecting secure communications via TLS/DTLS connections that utilize raw public keys (RPKs). The flaw may allow man-in-the-middle (MitM) attacks due to inadequate server authentication checks when SSL_VERIFY_PEER mode is enabled. This vulnerability impacts versions 3.2, 3.3, and 3.4 of OpenSSL, which have been patched with new releases.
Affected: OpenSSL library (versions 3.2, 3.3, and 3.4)
Keypoints :
- Vulnerability CVE-2024-12797 allows potential MitM attacks when using RPKs with SSL_VERIFY_PEER enabled.
- The issue occurs only when both the client and server explicitly use RPKs instead of the standard X.509 certificate chain.
- Versions 3.4.1, 3.3.2, and 3.2.4 have addressed this vulnerability.
Source: https://securityaffairs.com/174111/security/openssl-patched-the-vulnerability-cve-2024-12797.html