CVE-2024-6119

Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)

Published: Sep 3, 2024 / Updated: 2mo ago

010
CVSS 7.5EPSS 0.05%High
CVE info copied to clipboard

Summary

Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. The issue affects OpenSSL and can lead to abnormal termination of the application process, potentially causing a denial of service. Basic certificate chain validation is not affected. The vulnerability is primarily relevant to TLS clients, while TLS servers are generally not affected.

Impact

This vulnerability can cause a denial of service by abnormally terminating the application process. It occurs when applications perform certificate name checks against a reference identifier (expected identity). The impact is primarily on TLS clients, as TLS servers rarely perform such checks. The severity is considered Moderate. According to the CVSS v3.1 score, it has a base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates a network-based attack vector with low attack complexity, requiring no privileges or user interaction. While it has a high impact on confidentiality, there is no impact on integrity or availability according to the CVSS score.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

The vulnerability affects OpenSSL. The FIPS modules in versions 3.3, 3.2, 3.1, and 3.0 are not affected by this issue. However, the information provided does not specify if a patch is available for affected versions. The security team should monitor OpenSSL's official channels for patch information and updates.

Mitigation

1. Prioritize patching for TLS client applications that perform certificate name checks. 2. Monitor for and apply any security updates or patches released by OpenSSL for affected versions. 3. Consider implementing additional security measures to detect and prevent potential denial of service attacks resulting from this vulnerability. 4. Review and potentially limit the use of `otherName` subject alternative names in X.509 certificates where possible. 5. Ensure that error handling in affected applications is robust enough to gracefully handle exceptions that may occur during certificate name checks. 6. For critical systems, consider implementing redundancy or failover mechanisms to mitigate the impact of potential application terminations.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Timeline

Threat Intelligence Report

CVE-2024-6119 is a critical vulnerability affecting OpenSSL, but PAN-OS software and Cortex XDR Agent are not impacted as they do not use the affected version. There are no known proof-of-concept exploits in the wild, and no downstream impacts to other third-party vendors have been reported. Mitigations and patches are not necessary for products unaffected by this vulnerability. See article

Aug 22, 2024 at 6:06 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (757009)

Sep 3, 2024 at 7:53 AM
CVE Assignment

NVD published the first details for CVE-2024-6119

Sep 3, 2024 at 4:15 PM
First Article

Feedly found the first article mentioning CVE-2024-6119. See article

Sep 3, 2024 at 4:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 3, 2024 at 4:21 PM
CVSS

A CVSS base score of 7.5 has been assigned.

Sep 3, 2024 at 9:40 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (206483)

Sep 4, 2024 at 5:15 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.3%)

Sep 4, 2024 at 10:07 AM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-6119).

Sep 4, 2024 at 12:16 PM
Static CVE Timeline Graph

Affected Systems

Openssl/openssl
+null more

Patches

bugzilla.redhat.com
+null more

References

CVE-2024-5535 Informational Bulletin: Impact of OpenSSL Vulnerabilities CVE-2024-5535 and CVE-2024-6119 (Severity: NONE)
At present, no other Palo Alto Networks products are known to contain the vulnerable software packages and be impacted by these issues. CVE-2024-6119 PAN-OS software does not use an affected version of OpenSSL.
Multiple vulnerabilities in QRadar Suite Software
A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Multiple vulnerabilities in IBM Observability with Instana
The vulnerability exists due to a boundary error when processing HTML content in WebKit. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system. The vulnerability exists due to integer overflow within the dtdCopy() function in xmlparse.c. A remote attacker can pass specially crafted input to the application, trigger an integer overflow and execute arbitrary code on the target system.
See 1 more references

News

Oracle Linux 9 : edk2 (ELSA-2024-9088)
Nessus Plugin ID 211549 with Medium Severity Synopsis The remote Oracle Linux host is missing one or more security updates. Description The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-9088 advisory. - Resolves: RHEL-55336 (CVE-2024-6119 edk2/openssl: Possible denial of service in X.509 name checks [rhel-9.5]) - Resolves: RHEL-21653 (CVE-2023-6237 edk2: openssl: Excessive time spent checking invalid RSA public keys [rhel-9]) - Resolves: RHEL-21150 (CVE-2023-6129 edk2: mysql:
Do you want to spoil your security guys?
You know the problem - there are two patches for AIX, both patches fix the same component, you installed the latest and greatest, but your security guys don’t want to understand it. With the playbook you can easily check which fixes you should install without calling your security guys.
IBM App Connect Enterprise update for OpenSSL
A remote attacker can supply a specially crafted X.509 certificate to the server, trigger a type confusion error and perform a denial of service (DoS) attack. Risk Medium Patch available YES Number of vulnerabilities 2 CVE-ID CVE-2024-6119
RHSA-2024:9485: Important: Control plane Operators for RHOSO 18.0.3 (Feature Release 1) security update
OSPRH-8193 - [glance] Modifying osp-secret triggers an almost complete restart of the podified control plane OSPRH-8290 - [manila] Modifying osp-secret triggers an almost complete restart of the podified control plane
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.17
The vulnerability exists due to a NULL pointer dereference error in tif_dirinfo.c. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack. The vulnerability exists due to NULL pointer dereference within the spi_unregister_controller(), __spi_transfer_message_noqueue() and __spi_sync() functions in drivers/spi/spi.c. A local user can perform a denial of service (DoS) attack.
See 145 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI