Armis Vulnerability Intelligence Database

Description Preview

The vulnerability is found in the OpenSSL software, specifically in the functions EVP_PKEY_param_check() and EVP_PKEY_public_check(). These functions perform various checks on DSA parameters, and some of these computations can take a long time if the modulus (`p` parameter) is too large. OpenSSL does not limit the modulus size when performing these checks, which can lead to long delays. If the key or parameters being checked are obtained from an untrusted source, this could potentially lead to a Denial of Service (DoS) attack. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.

Overview

The vulnerability was discovered by OSS-Fuzz and remediation was developed by Tomas Mraz. It affects OpenSSL versions 3.0.0 to 3.0.14, 3.1.0 to 3.1.6, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1. The vulnerability was published on 16th May 2024 and updated on 14th October 2024.

Remediation

Patches for the vulnerability have been released and can be found at the following URLs:

3.0.14: https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397
3.1.6: https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d
3.2.2: https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740
3.3.1: https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e

Users are advised to update their OpenSSL software to the latest version to mitigate this vulnerability.

References

OpenSSL Advisory: https://www.openssl.org/news/secadv/20240516.txt
OSS Security: http://www.openwall.com/lists/oss-security/2024/05/16/2
NetApp Security Advisory: https://security.netapp.com/advisory/ntap-20240621-0001/

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

Manufacturing
Manufacturing
Health Care & Social Assistance
Health Care & Social Assistance
Public Administration
Public Administration
Educational Services
Educational Services
Finance and Insurance
Finance and Insurance
Professional, Scientific, & Technical Services
Professional, Scientific, & Technical Services
Transportation & Warehousing
Transportation & Warehousing
Utilities
Utilities
Retail Trade
Retail Trade
Other Services (except Public Administration)
Other Services (except Public Administration)
Information
Information
Management of Companies & Enterprises
Management of Companies & Enterprises
Arts, Entertainment & Recreation
Arts, Entertainment & Recreation
Accommodation & Food Services
Accommodation & Food Services
Construction
Construction
Agriculture, Forestry Fishing & Hunting
Agriculture, Forestry Fishing & Hunting
Mining
Mining
Real Estate Rental & Leasing
Real Estate Rental & Leasing
Wholesale Trade
Wholesale Trade
Administrative, Support, Waste Management & Remediation Services
Administrative, Support, Waste Management & Remediation Services

^{CVE-2024-4603:}The vulnerability identified as CVE-2024-4603 is related to OpenSSL. It involves excessive time spent checking DSA keys and parameters, which could potentially lead to a Denial of Service (DoS) attack.

Description Preview

Overview

Remediation

References

Focus on What Matters

Let's talk!