CVE-2024-4741
Vulnerability from cvelistv5
Published
2024-11-13 10:20
Modified
2024-11-13 14:49
Severity ?
Summary
Use After Free with SSL_free_buffers
Impacted products
OpenSSLOpenSSL
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:openssl:openssl:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "openssl",
            "vendor": "openssl",
            "versions": [
              {
                "lessThan": "1.1.1y",
                "status": "affected",
                "version": "1.1.1",
                "versionType": "semver"
              },
              {
                "lessThan": "3.0.14",
                "status": "affected",
                "version": "3.0.0",
                "versionType": "semver"
              },
              {
                "lessThan": "3.1.6",
                "status": "affected",
                "version": "3.1.0",
                "versionType": "semver"
              },
              {
                "lessThan": "3.2.2",
                "status": "affected",
                "version": "3.2.0",
                "versionType": "semver"
              },
              {
                "lessThan": "3.3.1",
                "status": "affected",
                "version": "3.3.0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-4741",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-13T14:45:07.092438Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-13T14:49:05.977Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "lessThan": "3.3.1",
              "status": "affected",
              "version": "3.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.2.2",
              "status": "affected",
              "version": "3.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.1.6",
              "status": "affected",
              "version": "3.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.14",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.1.1y",
              "status": "affected",
              "version": "1.1.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "William Ahern (Akamai)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Matt Caswell"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Watson Ladd (Akamai)"
        }
      ],
      "datePublic": "2024-05-27T23:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\u003cbr\u003ememory to be accessed that was previously freed in some situations\u003cbr\u003e\u003cbr\u003eImpact summary: A use after free can have a range of potential consequences such\u003cbr\u003eas the corruption of valid data, crashes or execution of arbitrary code.\u003cbr\u003eHowever, only applications that directly call the SSL_free_buffers function are\u003cbr\u003eaffected by this issue. Applications that do not call this function are not\u003cbr\u003evulnerable. Our investigations indicate that this function is rarely used by\u003cbr\u003eapplications.\u003cbr\u003e\u003cbr\u003eThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\u003cbr\u003ewhen processing an incoming record from the network. The call is only expected\u003cbr\u003eto succeed if the buffer is not currently in use. However, two scenarios have\u003cbr\u003ebeen identified where the buffer is freed even when still in use.\u003cbr\u003e\u003cbr\u003eThe first scenario occurs where a record header has been received from the\u003cbr\u003enetwork and processed by OpenSSL, but the full record body has not yet arrived.\u003cbr\u003eIn this case calling SSL_free_buffers will succeed even though a record has only\u003cbr\u003ebeen partially processed and the buffer is still in use.\u003cbr\u003e\u003cbr\u003eThe second scenario occurs where a full record containing application data has\u003cbr\u003ebeen received and processed by OpenSSL but the application has only read part of\u003cbr\u003ethis data. Again a call to SSL_free_buffers will succeed even though the buffer\u003cbr\u003eis still in use.\u003cbr\u003e\u003cbr\u003eWhile these scenarios could occur accidentally during normal operation a\u003cbr\u003emalicious attacker could attempt to engineer a stituation where this occurs.\u003cbr\u003eWe are not aware of this issue being actively exploited.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue."
            }
          ],
          "value": "Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\nmemory to be accessed that was previously freed in some situations\n\nImpact summary: A use after free can have a range of potential consequences such\nas the corruption of valid data, crashes or execution of arbitrary code.\nHowever, only applications that directly call the SSL_free_buffers function are\naffected by this issue. Applications that do not call this function are not\nvulnerable. Our investigations indicate that this function is rarely used by\napplications.\n\nThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\nwhen processing an incoming record from the network. The call is only expected\nto succeed if the buffer is not currently in use. However, two scenarios have\nbeen identified where the buffer is freed even when still in use.\n\nThe first scenario occurs where a record header has been received from the\nnetwork and processed by OpenSSL, but the full record body has not yet arrived.\nIn this case calling SSL_free_buffers will succeed even though a record has only\nbeen partially processed and the buffer is still in use.\n\nThe second scenario occurs where a full record containing application data has\nbeen received and processed by OpenSSL but the application has only read part of\nthis data. Again a call to SSL_free_buffers will succeed even though the buffer\nis still in use.\n\nWhile these scenarios could occur accidentally during normal operation a\nmalicious attacker could attempt to engineer a stituation where this occurs.\nWe are not aware of this issue being actively exploited.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue."
        }
      ],
      "metrics": [
        {
          "format": "other",
          "other": {
            "content": {
              "text": "Low"
            },
            "type": "https://www.openssl.org/policies/secpolicy.html"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-13T10:20:50.711Z",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "name": "OpenSSL Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.openssl.org/news/secadv/20240528.txt"
        },
        {
          "name": "3.3.1 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8"
        },
        {
          "name": "3.2.2 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac"
        },
        {
          "name": "3.1.6 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177"
        },
        {
          "name": "3.0.14 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d"
        },
        {
          "name": "1.1.1y git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Use After Free with SSL_free_buffers",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2024-4741",
    "datePublished": "2024-11-13T10:20:50.711Z",
    "dateReserved": "2024-05-10T09:56:11.310Z",
    "dateUpdated": "2024-11-13T14:49:05.977Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-4741\",\"sourceIdentifier\":\"openssl-security@openssl.org\",\"published\":\"2024-11-13T11:15:04.480\",\"lastModified\":\"2024-11-13T17:01:16.850\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\\nmemory to be accessed that was previously freed in some situations\\n\\nImpact summary: A use after free can have a range of potential consequences such\\nas the corruption of valid data, crashes or execution of arbitrary code.\\nHowever, only applications that directly call the SSL_free_buffers function are\\naffected by this issue. Applications that do not call this function are not\\nvulnerable. Our investigations indicate that this function is rarely used by\\napplications.\\n\\nThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\\nwhen processing an incoming record from the network. The call is only expected\\nto succeed if the buffer is not currently in use. However, two scenarios have\\nbeen identified where the buffer is freed even when still in use.\\n\\nThe first scenario occurs where a record header has been received from the\\nnetwork and processed by OpenSSL, but the full record body has not yet arrived.\\nIn this case calling SSL_free_buffers will succeed even though a record has only\\nbeen partially processed and the buffer is still in use.\\n\\nThe second scenario occurs where a full record containing application data has\\nbeen received and processed by OpenSSL but the application has only read part of\\nthis data. Again a call to SSL_free_buffers will succeed even though the buffer\\nis still in use.\\n\\nWhile these scenarios could occur accidentally during normal operation a\\nmalicious attacker could attempt to engineer a stituation where this occurs.\\nWe are not aware of this issue being actively exploited.\\n\\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"openssl-security@openssl.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"references\":[{\"url\":\"https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.openssl.org/news/secadv/20240528.txt\",\"source\":\"openssl-security@openssl.org\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.