CVE-2024-6119

03.09.2024, 16:15

Issue summary: Applications performing certificate name checks (e.g., TLS
clients checking server certificates) may attempt to read an invalid memory
address resulting in abnormal termination of the application process.

Impact summary: Abnormal termination of an application can a cause a denial of
service.

Applications performing certificate name checks (e.g., TLS clients checking
server certificates) may attempt to read an invalid memory address when
comparing the expected name with an `otherName` subject alternative name of an
X.509 certificate. This may result in an exception that terminates the
application program.

Note that basic certificate chain validation (signatures, dates, ...) is not
affected, the denial of service can occur only when the application also
specifies an expected DNS name, Email address or IP address.

TLS servers rarely solicit client certificates, and even when they do, they
generally don't perform a name check against a reference identifier (expected
identity), but rather extract the presented identity after checking the
certificate chain. So TLS servers are generally not affected and the severity
of the issue is Moderate.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Type Confusion

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
openssl	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 74%

Debian Releases

Debian Product

Codename

openssl

bullseye	1.1.1w-0+deb11u1 not-affected
bullseye (security)	1.1.1w-0+deb11u3 fixed
bookworm	3.0.16-1~deb12u1 fixed
bookworm (security)	3.0.14-1~deb12u2 fixed
trixie	3.5.0-1 fixed
sid	3.5.0-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

edk2

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

nodejs

plucky	not-affected
oracular	not-affected
noble	not-affected
jammy	needed
focal	not-affected
bionic	needs-triage
xenial	needs-triage
trusty	not-affected

openssl

plucky	Fixed 3.3.1-2ubuntu2 released
oracular	Fixed 3.3.1-2ubuntu2 released
noble	Fixed 3.0.13-0ubuntu3.4 released
jammy	Fixed 3.0.2-0ubuntu1.18 released
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

openssl1.0

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected

Common Weakness Enumeration

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

References

https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f

https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6

https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2

https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0

https://openssl-library.org/news/secadv/20240903.txt

http://www.openwall.com/lists/oss-security/2024/09/03/4

https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html

https://security.netapp.com/advisory/ntap-20240912-0001/