CVE-2024-6119
Published: 03 September 2024
Summary
CVE-2024-6119 is a high-severity Type Confusion (CWE-843) vulnerability in Openssl Openssl. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-6119 is a memory-safety flaw in OpenSSL that affects certificate name checking logic used by TLS clients and other applications validating X.509 certificates. When an application compares an expected DNS name, email address, or IP address against an otherName subject alternative name in a presented certificate, it may dereference an invalid memory address and terminate. Basic chain validation (signatures, validity periods, etc.) is unaffected; the issue is limited to the name-matching step. The FIPS modules in OpenSSL 3.3, 3.2, 3.1, and 3.0 are not impacted.
An unauthenticated remote attacker can trigger the flaw by supplying a malicious certificate containing a crafted otherName SAN during a TLS handshake or similar certificate-validation operation. Successful exploitation produces only a denial of service through abnormal process termination; no confidentiality or integrity impact is possible. TLS servers are rarely affected because they seldom perform reference-identifier name checks on client certificates.
Upstream fixes are available in the commits referenced in the OpenSSL security advisory of 3 September 2024. The CVSS 7.5 score reflects a network-reachable availability impact with low attack complexity. EPSS remains modest (current 0.1426, peak 0.1458) with no pronounced post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47266
Vulnerability details
Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a…
more
denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.