Man-in-the-Middle Vulnerability in OpenSSL Affecting Raw Public Key Authentication
CVE-2024-12797

6.3MEDIUM

Key Information:

Vendor
OpenSSL
Status
OpenSSL
Vendor
CVE Published:
11 February 2025

Badges

📈 Score: 764👾 Exploit Exists📰 News Worthy

What is CVE-2024-12797?

CVE-2024-12797 is a vulnerability found in OpenSSL, specifically affecting its implementation of raw public key authentication (RPK). OpenSSL is a widely used cryptographic library that provides secure communication over computer networks. This vulnerability creates a potential security risk where clients might fail to notice that a server has not been properly authenticated. Consequently, this lapse can expose organizations to man-in-the-middle attacks, undermining the integrity and confidentiality of data exchanged.

Technical Details

The vulnerability arises when clients use raw public keys for server authentication, enabling RPK while having the SSL_VERIFY_PEER verification mode set. Under these conditions, if the server’s RPK fails to match the expected public keys, the handshake process does not abort as it traditionally should. This means that clients may not be alerted to an authentication failure, leaving them vulnerable to attacks. However, clients that check the verification result after the handshake can still detect issues, provided they implement the necessary error handling.

Potential Impact of CVE-2024-12797

  1. Man-in-the-Middle Attacks: The core risk is that attackers can exploit this vulnerability to intercept and potentially alter communications between clients and servers without detection. If the server is not authenticated properly, sensitive data could be compromised.

  2. Data Integrity Loss: Due to the lack of proper verification during the handshake, the integrity of data exchanged could be diminished, exposing organizations to risks of data tampering by malicious actors.

  3. Operational Disruptions: Organizations relying on secure communications might face operational challenges if exploited, affecting business processes and leading to potential loss of trust from customers and partners regarding security practices.

Affected Version(s)

OpenSSL 3.4.0 < 3.4.1

OpenSSL 3.3.0 < 3.3.3

OpenSSL 3.2.0 < 3.2.4

News Articles

favicon imageGBHackers News

Critical OpenSSL Vulnerability Let Attackers Launch Man-in-the-Middle Attacks

A high-severity security vulnerability (CVE-2024-12797) has been identified in OpenSSL, one of the most widely used cryptographic libraries.

2 weeks ago

favicon imageCybersecurityNews

Critical OpenSSL Vulnerability Allow Hackers to Launch Man-in-the-Middle Attacks

The OpenSSL Project announced a high-severity vulnerability (CVE-2024-12797) affecting versions 3.2, 3.3, and 3.4 of the widely used cryptographic library.

2 weeks ago

favicon imageSecurity Affairs

OpenSSL patched high-severity flaw CVE-2024-12797

OpenSSL patched the vulnerability CVE-2024-12797, a high-severity flaw found by Apple that enables man-in-the-middle attacks.

2 weeks ago

References

https://openssl-library.org/news/secadv/20250211.txt
vendor-advisory
https://github.com/openssl/openssl/commit/738d4f9fdeaad57...
patch
https://github.com/openssl/openssl/commit/87ebd203feffcf9...
patch

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by SecurityWeek

  • Vulnerability published

  • Vulnerability Reserved

Credit

Apple Inc.
Viktor Dukhovni
.