OpenSSL Flaw Allows Hackers to Execute Man-in-the-Middle Attacks


A recently disclosed high-severity vulnerability in OpenSSL (CVE-2024-12797) could allow attackers to launch man-in-the-middle (MitM) attacks on TLS and DTLS connections that use raw public keys (RPKs) for server authentication. The flaw affects OpenSSL versions 3.2, 3.3, and 3.4 and was discovered by Apple Inc. in December 2024.


The vulnerability stems from improper handling of server authentication failures during handshakes, leaving some connections vulnerable to MitM attacks under specific conditions. While the issue is limited to systems that have explicitly enabled RPK functionality, it poses a serious risk to affected environments.

Understanding the Vulnerability

The flaw arises from the incorrect behavior of SSL_VERIFY_PEER mode during the handshake process when using RFC7250 Raw Public Keys (RPKs) for authentication. Instead of terminating the connection upon failed verification, the handshake continues, leaving the connection susceptible to MitM attacks.

Key Details:

  • Affected Versions:
    • OpenSSL 3.4 (prior to 3.4.1)
    • OpenSSL 3.3 (prior to 3.3.2)
    • OpenSSL 3.2 (prior to 3.2.4)
  • Unaffected Versions: OpenSSL 1.1.1, 1.0.2, and FIPS modules in OpenSSL versions 3.0 through 3.4

The issue only arises when both the client and server have explicitly enabled RPKs instead of the default X.509 certificate chains. The problem was introduced with the initial implementation of RPK support in OpenSSL 3.2.

Impact and Risk

For clients relying on RPK verification, the flaw could allow attackers to intercept or manipulate sensitive communications between clients and servers. This risk is heightened in environments where critical data is transmitted over vulnerable TLS/DTLS connections.

Potential Attack Scenarios:

  • Man-in-the-Middle Attacks – Intercept and alter data between client and server
  • Data Exfiltration – Steal sensitive information during communication
  • Session Hijacking – Take control of authenticated sessions
  • Communication Manipulation – Inject malicious content or commands into the communication stream

However, clients that explicitly call SSL_get_verify_result() to check verification status and take corrective actions remain unaffected by this vulnerability.

Mitigation and Fix

The OpenSSL Project has released patches to address the vulnerability in affected versions:

  • OpenSSL 3.4 users should upgrade to version 3.4.1
  • OpenSSL 3.3 users should upgrade to version 3.3.2
  • OpenSSL 3.2 users should upgrade to version 3.2.4

Administrators are urged to apply these updates immediately to mitigate potential risks. Failing to patch affected systems could expose critical infrastructure to exploitation.

Steps to Protect Your Systems

To ensure your environment is secure:

  1. Apply OpenSSL Updates: Upgrade to the latest patched versions.
  2. Audit TLS Configurations: Ensure RPK functionality is not inadvertently enabled unless necessary.
  3. Monitor Logs: Regularly review connection logs for signs of unusual handshake behavior or failed authentication attempts.
  4. Enable SSL_get_verify_result() Checks: Ensure clients explicitly call this function for verification results.
  5. Implement Network Monitoring Tools: Detect and prevent MitM attacks in real time.
Source:
By at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Chinese Hackers Target U.S. Telecoms with Custom Malware in Stealthy Cyber Espionage

  Salt Typhoon Hackers Use JumbledPath to Spy on U.S. Telecom Networks A Chinese state-sponsored hacking group, Salt Typhoon (also known as ...