CVE-2024-12797: Critical Vulnerability in OpenSSL's RFC725 Raw Public Keys Authentication

A critical vulnerability has been identified in OpenSSL where clients using RFC725 Raw Public Keys (RPKs) to authenticate a server may fail to detect that the server was not authenticated. This is because handshakes do not abort as expected when the SSL_VERIFY_PEER verification mode is enabled.

Impact Summary

TLS and DTLS connections using raw public keys may be vulnerable to man-in-middle attacks when server authentication failure is not detected by clients. This vulnerability affects a specific configuration of OpenSSL that involves both the client and server explicitly enabling RPKs.

Affected Configuration

By default, RPKs are disabled in both TLS clients and TLS servers. The issue arises only in cases where:

The server, likewise, enables sending of an RPK instead of an X.509 certificate chain

3. Affected clients then rely on the handshake to fail when the server's RPK fails to match one of the expected public keys, by setting the verification mode to SSL_VERIFY_PEER

This issue was introduced in the initial implementation of RPK support in OpenSSL 3.2. The FIPS modules in 3.4, 3.3, 3.2, 3.1, and 3. are not affected.

Detection

Clients that enable server-side raw public keys can still find out that raw public key verification failed by calling the SSL_get_verify_result() function. Clients that call this function and take appropriate action are not affected by this issue.

int verification_result = SSL_get_verify_result(ssl);

if (verification_result != X509_V_OK)
{
    // Handle error here, as raw public key verification failed
}

References

- OpenSSL Security Advisory
- RFC725 - Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
- OpenSSL CVE-2024-12797 Advisory

Exploit Details

Exploiting this vulnerability would require a man-in-middle attack scenario. The attacker would be able to intercept and modify the communication between the client and the server, potentially gaining unauthorized access to the system, compromising the integrity and confidentiality of the transmitted data, or causing a denial of service.

To mitigate this vulnerability, ensure that clients and servers using RPKs have the proper configuration and call the SSL_get_verify_result() function to detect authentication failures. Alternatively, switch to using the widely adopted and recommended X.509 certificates for authentication instead of raw public keys.

Stay up-to-date with OpenSSL patches and security advisories to protect your applications from any potential security threats.

Timeline

Published on: 02/11/2025 16:15:38 UTC
Last modified on: 02/18/2025 14:15:27 UTC