#VU85808 NULL pointer dereference in OpenSSL - CVE-2024-0727

Cybersecurity Help s.r.o.

Published: 2024-01-25 | Updated: 2024-04-08

Vulnerability identifier: #VU85808

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-0727

CWE-ID: CWE-476

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when processing fields in the PKCS12 certificate. A remote attacker can pass specially crafted certificate to the server and perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSL: 1.0.2h - 1.0.2p, 1.1.1d - 1.1.1p, 3.0.0 - 3.0.12, 3.1.0 - 3.1.4, 3.2.0

External links
https://www.openssl.org/news/secadv/20240125.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Meinberg LANTIME firmware update for third-party components (February 2024)

Multiple vulnerabilities in IBM webMethods Managed File Transfer

Multiple vulnerabilities in Dell PowerProtect Data Manager

Dell EMC NetWorker vProxy update for third-party components

Anolis OS update for openssl

Multiple vulnerabilities in IBM Cloud Pak for AIOps

Multiple vulnerabilities in IBM Storage Protect Backup-Archive Client

Cisco NX-OS Firmware update for OpenSSL

Fedora EPEL 8 update for openssl3

Multiple vulnerabilities in HP-UX Using OpenSSL