fkie_cve-2024-4741
Vulnerability from fkie_nvd
Published
2024-11-13 11:15
Modified
2024-11-13 17:01
Severity ?
Summary
Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause
memory to be accessed that was previously freed in some situations
Impact summary: A use after free can have a range of potential consequences such
as the corruption of valid data, crashes or execution of arbitrary code.
However, only applications that directly call the SSL_free_buffers function are
affected by this issue. Applications that do not call this function are not
vulnerable. Our investigations indicate that this function is rarely used by
applications.
The SSL_free_buffers function is used to free the internal OpenSSL buffer used
when processing an incoming record from the network. The call is only expected
to succeed if the buffer is not currently in use. However, two scenarios have
been identified where the buffer is freed even when still in use.
The first scenario occurs where a record header has been received from the
network and processed by OpenSSL, but the full record body has not yet arrived.
In this case calling SSL_free_buffers will succeed even though a record has only
been partially processed and the buffer is still in use.
The second scenario occurs where a full record containing application data has
been received and processed by OpenSSL but the application has only read part of
this data. Again a call to SSL_free_buffers will succeed even though the buffer
is still in use.
While these scenarios could occur accidentally during normal operation a
malicious attacker could attempt to engineer a stituation where this occurs.
We are not aware of this issue being actively exploited.
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
References
Impacted products
| Vendor | Product | Version |
|---|
{ cveTags: [], descriptions: [ { lang: "en", value: "Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\nmemory to be accessed that was previously freed in some situations\n\nImpact summary: A use after free can have a range of potential consequences such\nas the corruption of valid data, crashes or execution of arbitrary code.\nHowever, only applications that directly call the SSL_free_buffers function are\naffected by this issue. Applications that do not call this function are not\nvulnerable. Our investigations indicate that this function is rarely used by\napplications.\n\nThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\nwhen processing an incoming record from the network. The call is only expected\nto succeed if the buffer is not currently in use. However, two scenarios have\nbeen identified where the buffer is freed even when still in use.\n\nThe first scenario occurs where a record header has been received from the\nnetwork and processed by OpenSSL, but the full record body has not yet arrived.\nIn this case calling SSL_free_buffers will succeed even though a record has only\nbeen partially processed and the buffer is still in use.\n\nThe second scenario occurs where a full record containing application data has\nbeen received and processed by OpenSSL but the application has only read part of\nthis data. Again a call to SSL_free_buffers will succeed even though the buffer\nis still in use.\n\nWhile these scenarios could occur accidentally during normal operation a\nmalicious attacker could attempt to engineer a stituation where this occurs.\nWe are not aware of this issue being actively exploited.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", }, { lang: "es", value: "Resumen del problema: Llamar a la función de API de OpenSSL SSL_free_buffers puede provocar que se acceda a la memoria que se liberó previamente en algunas situaciones Resumen del impacto: Un use after free puede tener una variedad de posibles consecuencias, como la corrupción de datos válidos, fallas o ejecución de código arbitrario. Sin embargo, solo las aplicaciones que llaman directamente a la función SSL_free_buffers se ven afectadas por este problema. Las aplicaciones que no llaman a esta función no son vulnerables. Nuestras investigaciones indican que las aplicaciones rara vez usan esta función. La función SSL_free_buffers se usa para liberar el búfer interno de OpenSSL que se usa al procesar un registro entrante de la red. Solo se espera que la llamada tenga éxito si el búfer no está actualmente en uso. Sin embargo, se han identificado dos escenarios en los que el búfer se libera incluso cuando todavía está en uso. El primer escenario ocurre cuando se recibió un encabezado de registro de la red y OpenSSL lo procesó, pero aún no llegó el cuerpo completo del registro. En este caso, llamar a SSL_free_buffers tendrá éxito incluso si un registro solo se procesó parcialmente y el búfer todavía está en uso. El segundo escenario ocurre cuando OpenSSL ha recibido y procesado un registro completo que contiene datos de la aplicación, pero la aplicación solo ha leído parte de estos datos. Nuevamente, una llamada a SSL_free_buffers tendrá éxito aunque el búfer aún esté en uso. Si bien estos escenarios podrían ocurrir accidentalmente durante el funcionamiento normal, un atacante malintencionado podría intentar crear una situación en la que esto ocurra. No tenemos conocimiento de que este problema se esté explotando activamente. Los módulos FIPS en 3.3, 3.2, 3.1 y 3.0 no se ven afectados por este problema.", }, ], id: "CVE-2024-4741", lastModified: "2024-11-13T17:01:16.850", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2024-11-13T11:15:04.480", references: [ { source: "openssl-security@openssl.org", url: "https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177", }, { source: "openssl-security@openssl.org", url: "https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d", }, { source: "openssl-security@openssl.org", url: "https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac", }, { source: "openssl-security@openssl.org", url: "https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8", }, { source: "openssl-security@openssl.org", url: "https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4", }, { source: "openssl-security@openssl.org", url: "https://www.openssl.org/news/secadv/20240528.txt", }, ], sourceIdentifier: "openssl-security@openssl.org", vulnStatus: "Awaiting Analysis", weaknesses: [ { description: [ { lang: "en", value: "CWE-416", }, ], source: "openssl-security@openssl.org", type: "Secondary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.