Out-of-bounds write in OpenSSL - CVE-2024-9143
Published: October 16, 2024 / Updated: February 11, 2025
Vulnerability identifier: #VU98757
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-9143
CWE-ID: CWE-787
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenSSL Software Foundation
Affected software:
OpenSSL
OpenSSL
Detailed vulnerability description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when using the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial. A remote attacker can send specially crafted input to the server, trigger an out-of-bounds write and perform a denial of service (DoS) attack.
Note, the vulnerability can be exploited against the application in rare cases only that involve "exotic" curve encoding.
How to mitigate CVE-2024-9143
Install update from vendor's website.
Sources
- https://openssl-library.org/news/secadv/20241016.txt
- https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4
- https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700
- https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154
- https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712
- https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a
- https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41