CVE-2024-12797

Summary

CVE-2024-12797: A vulnerability exists in the handling of Raw Public Keys (RPKs) during TLS and DTLS handshakes in clients using OpenSSL. Clients that enable RPKs and rely on handshake failure for authentication when the server's RPK does not match, may fail to detect unauthenticated servers, making them susceptible to man-in-middle attacks. The issue only impacts clients that have explicitly enabled RPK usage and set the verification mode to SSL_VERIFY_PEER. Clients can still detect and respond to RPK verification failure by using SSL_get_verify_result(). This vulnerability was introduced in OpenSSL 3.2, but the FIPS modules in versions 3.4, 3.3, 3.2, 3.1, and 3.0 are not affected.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.