CVE-2024-2511
Published: 08 April 2024
Summary
CVE-2024-2511 is a medium-severity Improperly Controlled Sequential Memory Allocation (CWE-1325) vulnerability in Siemens (inferred from references). Its CVSS base score is 5.9 (Medium).
Operationally, ranked in the top 7.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-2511 is a memory-management flaw in OpenSSL that affects TLS servers supporting TLSv1.3 when the non-default SSL_OP_NO_TICKET option is enabled without early-data anti-replay protection. Under certain conditions the session cache enters an incorrect state and stops flushing, producing unbounded memory growth that eventually results in a denial of service. The issue does not affect TLS clients, the FIPS modules in OpenSSL 3.0–3.2, or OpenSSL 1.0.2.
A remote attacker who can reach an affected server can deliberately trigger the cache-growth condition, exhausting memory and causing the server process to become unresponsive. Exploitation requires a specific non-default configuration and carries high attack complexity, consistent with the CVSS 5.9 rating that emphasizes availability impact without confidentiality or integrity loss.
The official OpenSSL advisory and accompanying commits (7e4d731, b52867a, e9d7083, and the extended-release fix) describe the root cause and provide patches that restore proper session-cache flushing. Administrators are advised to apply the updates or revert to default ticket behavior if the non-default option is not required.
EPSS scores have remained low and essentially flat (current 0.0883, peak 0.0905), indicating no material increase in observed exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-27460
Vulnerability details
Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem…
more
can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.