EXECUTIVE SUMMARY:
A high-severity vulnerability in OpenSSL with a CVSS score of 7.4 affects the implementation of Raw Public Keys (RPKs), potentially enabling man-in-the-middle attacks by allowing attackers to impersonate servers. The flaw, tracked as CVE-2024-12797, arises from handshake failures in SSL_VERIFY_PEER verification mode, leaving clients unaware of authentication issues. While RPKs are disabled by default, users who have explicitly enabled them are at risk of data breaches and unauthorized access. Users who have enabled Raw Public Keys (RPKs) should update to the latest OpenSSL versions immediately to mitigate the risk. The flaw poses a significant threat, potentially leading to unauthorized access and data breaches.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A high-severity vulnerability in OpenSSL with a CVSS score of 7.4 affects the implementation of Raw Public Keys (RPKs), potentially enabling man-in-the-middle attacks by allowing attackers to impersonate servers. The flaw, tracked as CVE-2024-12797, arises from handshake failures in SSL_VERIFY_PEER verification mode, leaving clients unaware of authentication issues. While RPKs are disabled by default, users who have explicitly enabled them are at risk of data breaches and unauthorized access. Users who have enabled Raw Public Keys (RPKs) should update to the latest OpenSSL versions immediately to mitigate the risk. The flaw poses a significant threat, potentially leading to unauthorized access and data breaches.[emaillocker id="1283"]
RECOMMENDATION:
We strongly recommend you update OpenSSL to below versions:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/cve-2024-12797-high-severity-openssl-flaw-update-now-to-prevent-mitm-attacks/