CVE-2024-0727: 
Python vulnerability analysis and mitigation

CVE-2024-0727 is a vulnerability in OpenSSL's PKCS12 file processing functionality, discovered on January 25, 2024. The vulnerability affects OpenSSL versions 3.2 (before 3.2.1), 3.1 (before 3.1.5), 3.0 (before 3.0.13), 1.1.1 (before 1.1.1x), and 1.0.2 (before 1.0.2zj). This issue was reported by Bahaa Naamneh from Crosspoint Labs (OpenSSL Advisory).

The vulnerability stems from improper handling of NULL fields in PKCS12 format files. While the PKCS12 specification allows certain fields to be NULL, OpenSSL does not correctly check for this case, leading to a NULL pointer dereference. The vulnerable OpenSSL APIs include PKCS12parse(), PKCS12unpackp7data(), PKCS12unpackp7encdata(), PKCS12unpackauthsafes(), and PKCS12newpass(). The FIPS modules in versions 3.2, 3.1, and 3.0 are not affected by this issue. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability can cause OpenSSL to crash, resulting in a Denial of Service (DoS) condition. Applications that process PKCS12 files from untrusted sources using the affected OpenSSL APIs are vulnerable to this issue (OpenSSL Advisory).

Users are advised to upgrade to the following fixed versions: OpenSSL 3.2.1, 3.1.5, 3.0.13, 1.1.1x (premium support customers only), or 1.0.2zj (premium support customers only). The fixes are available in commits 775acfdbd0 (for 3.2), d135eeab8a (for 3.1), and 09df4395b5 (for 3.0) in the OpenSSL git repository (OpenSSL Advisory).