CVE-2024-12797
Python vulnerability analysis and mitigation

Overview

CVE-2024-12797 is a high-severity vulnerability discovered in OpenSSL affecting versions 3.2, 3.3, and 3.4. The vulnerability was reported by Apple Inc. on December 18, 2024, and involves clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server. The issue occurs when clients fail to notice that the server was not authenticated because handshakes don't abort as expected when the SSLVERIFYPEER verification mode is set (OpenSSL Advisory).

Technical details

The vulnerability affects TLS and DTLS connections using raw public keys. RPKs are disabled by default in both TLS clients and TLS servers. The issue only arises when TLS clients explicitly enable RPK use by the server, and the server enables sending of an RPK instead of an X.509 certificate chain. The affected clients are those that rely on the handshake to fail when the server's RPK fails to match one of the expected public keys by setting the verification mode to SSLVERIFYPEER. The issue was introduced in the initial implementation of RPK support in OpenSSL 3.2 (OpenSSL Advisory).

Impact

The vulnerability could lead to man-in-the-middle attacks when server authentication failure is not detected by clients. While clients that enable server-side raw public keys can still detect verification failures by calling SSLgetverify_result() and taking appropriate action, those that don't implement this check are vulnerable to potential attacks (OpenSSL Advisory).

Mitigation and workarounds

OpenSSL has released patches for affected versions. Users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.1, OpenSSL 3.3 users should upgrade to OpenSSL 3.3.3, and OpenSSL 3.2 users should upgrade to OpenSSL 3.2.4. The FIPS modules in versions 3.4, 3.3, 3.2, 3.1, and 3.0 are not affected by this issue. Additionally, OpenSSL versions 3.1, 3.0, 1.1.1, and 1.0.2 are not vulnerable (OpenSSL Advisory).

Additional resources


SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management