CVE-2024-13454: 
Homebrew vulnerability analysis and mitigation

A security vulnerability (CVE-2024-13454) affects Easy-RSA versions 3.0.5 through 3.1.7. The vulnerability involves a weak encryption algorithm implementation when creating private CA keys using OpenSSL 3. This vulnerability was disclosed on January 20, 2025 (NVD).

The vulnerability stems from Easy-RSA incorrectly defaulting to the outdated des-ede3-cbc cipher instead of the intended aes-256-cbc cipher when using the easyrsa build-ca command. This weakness specifically affects installations using OpenSSL 3. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (GBHackers).

The vulnerability could allow local attackers to more easily bruteforce the private CA key, potentially compromising the entire Public Key Infrastructure (PKI) built around it. This weakness could undermine the security of the certificate authority system, affecting the integrity of secure communications within the affected infrastructure (GBHackers).

Two primary mitigation steps are recommended: 1) Re-encrypt the Private CA Key using the command 'easyrsa set-pass ca' to implement the secure aes-256-cbc cipher algorithm, and 2) Upgrade to Easy-RSA version 3.2.0 or newer, where the cipher issue has been fixed. The set-pass command is functional across all Easy-RSA versions and can help mitigate the vulnerability (GBHackers).