CVE-2024-29171
Published: 12 February 2025
Summary
CVE-2024-29171 is a medium-severity Improper Certificate Validation (CWE-295) vulnerability in Dell Bsafe Ssl-J. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-29171 is an improper certificate verification vulnerability (CWE-295) in Dell BSAFE SSL-J, affecting versions prior to 6.6 and versions 7.0 through 7.2. This flaw enables a remote attacker to potentially bypass proper validation of certificates during SSL/TLS operations, with a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), rated as Medium severity due to high confidentiality impact.
A remote, unauthenticated attacker with network access can exploit this vulnerability, though it requires high attack complexity. No user interaction or privileges are needed, and exploitation leads to information disclosure without affecting integrity or availability.
Dell's DSA-2024-221 advisory provides a security update addressing multiple vulnerabilities in BSAFE SSL-J, including CVE-2024-29171. Further details on patches and mitigation are available in the Dell support knowledge base article at https://www.dell.com/support/kbdoc/en-us/000226620/dsa-2024-221-security-update-for-dell-bsafe-ssl-j-multiple-vulnerabilities.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-26204
Vulnerability details
Dell BSAFE SSL-J, versions prior to 6.6 and versions 7.0 through 7.2, contains an Improper certificate verification vulnerability. A remote attacker could potentially exploit this vulnerability, leading to information disclosure.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper certificate verification directly enables adversary-in-the-middle attacks by allowing spoofed TLS certificates to intercept confidential data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-17 mandates verification of PKI certificate validity criteria and processes, directly preventing exploitation of improper certificate verification in SSL/TLS operations.
SI-2 requires timely identification, reporting, and correction of flaws like CVE-2024-29171 in BSAFE SSL-J, eliminating the vulnerability through patching.
SC-13 enforces use of compliant cryptographic modules for protections like SSL/TLS, mitigating risks from flawed implementations in libraries such as BSAFE SSL-J.