Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2024-9143
CVE-2024-9143:
OpenSSL vulnerability analysis and mitigation
Overview
CVE-2024-9143 affects OpenSSL versions 3.3, 3.2, 3.1, 3.0, 1.1.1, and 1.0.2. The vulnerability was discovered by Google OSS-Fuzz-Gen and reported on September 16, 2024. It involves the use of low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial, which can lead to out-of-bounds memory reads or writes (OpenSSL Advisory).
Technical details
The vulnerability affects the low-level GF(2^m) elliptic curve APIs, specifically ECGROUPnewcurveGF2m(), ECGROUPnewfromparams(), and various supporting BNGF2m*() functions. The issue occurs when processing binary EC curve parameters with invalid polynomials, which can lead to out-of-bounds memory access in BNGF2mmod_arr(). The vulnerability has been assigned a CVSS 3.1 score of 7.0 by SuSE (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H), though OpenSSL rates it as low severity due to limited exploitation potential (OSS Security).
Impact
The vulnerability can potentially lead to application crashes or remote code execution through out-of-bounds memory writes. However, the impact is limited because in most protocols involving Elliptic Curve Cryptography, either only 'named curves' are supported, or explicit curve parameters use X9.62 encoding that cannot represent problematic input values. The FIPS modules in versions 3.3, 3.2, 3.1, and 3.0 are not affected by this issue (OpenSSL Advisory).
Mitigation and workarounds
OpenSSL has released fixes for all affected versions: 3.3.3, 3.2.4, 3.1.8, 3.0.16, 1.1.1zb (premium support only), and 1.0.2zl (premium support only). The fixes are available in commits c0d3e4d3 (3.3), bc7e04d7 (3.2), fdf67233 (3.1), and 72ae83ad (3.0). Due to the low severity, immediate updates are not being issued, and fixes will be included in the next regular releases (OpenSSL Advisory).
Community reactions
There has been discussion regarding the severity assessment of this vulnerability, with OpenSSL rating it as 'low' while SuSE assessed it as 'moderate'. The difference stems from OpenSSL's consideration of exploitation likelihood in their severity rating, whereas SuSE used standard CVSS scoring which focuses on potential impact (OSS Security).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management