CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-5535: SSL_select_next_proto buffer overread

Description

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an
empty supported client protocols buffer may cause a crash or memory contents to
be sent to the peer.

Impact summary: A buffer overread can have a range of potential consequences
such as unexpected application beahviour or a crash. In particular this issue
could result in up to 255 bytes of arbitrary private data from memory being sent
to the peer leading to a loss of confidentiality. However, only applications
that directly call the SSL_select_next_proto function with a 0 length list of
supported client protocols are affected by this issue. This would normally never
be a valid scenario and is typically not under attacker control but may occur by
accident in the case of a configuration or programming error in the calling
application.

The OpenSSL API function SSL_select_next_proto is typically used by TLS
applications that support ALPN (Application Layer Protocol Negotiation) or NPN
(Next Protocol Negotiation). NPN is older, was never standardised and
is deprecated in favour of ALPN. We believe that ALPN is significantly more
widely deployed than NPN. The SSL_select_next_proto function accepts a list of
protocols from the server and a list of protocols from the client and returns
the first protocol that appears in the server list that also appears in the
client list. In the case of no overlap between the two lists it returns the
first item in the client list. In either case it will signal whether...

Classification

CVE ID: CVE-2024-5535

Affected Products

Vendor: OpenSSL

Product: OpenSSL

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 15.83% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://www.openssl.org/news/secadv/20240627.txt
https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c
https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e
https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37
https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c
https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87
https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c
http://www.openwall.com/lists/oss-security/2024/06/27/1
http://www.openwall.com/lists/oss-security/2024/06/28/4
https://security.netapp.com/advisory/ntap-20240712-0005/

Timeline

2025-02-14 00:32:28 UTC
CVE

SSL_select_next_proto buffer overread
2025-04-14 06:00:44 UTC
Tenable Plugins

RHEL 9 : openssl (RHSA-2025:3666)