cbcvebase.
CVE-2024-2511
published 2024-04-08

CVE-2024-2511: Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may…

PriorityP349medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
54.03%
98.9th percentile
Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.

Affected

42 ranges· showing 25
VendorProductVersion rangeFixed in
debianopenssl< openssl 3.0.14-1~deb12u1 (bookworm)openssl 3.0.14-1~deb12u1 (bookworm)
msrcazl3_cloud-hypervisor-cvm_38.0.72-2_on_azure_linux_3.0
msrcazl3_cloud-hypervisor-cvm_38.0.72.2-1_on_azure_linux_3.0
msrcazl3_edk2_20240524git3e722403cd16-8_on_azure_linux_3.0
msrcazl3_nodejs_20.10.0-2_on_azure_linux_3.0
msrcazl3_nodejs_20.14.0-1_on_azure_linux_3.0
msrcazl3_openssl_3.1.4-9_on_azure_linux_3.0
msrcazl3_openssl_3.3.0-1_on_azure_linux_3.0
msrcazl3_qemu_8.2.0-16_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_cloud-hypervisor-cvm_38.0.72-1_on_cbl_mariner_2.0
msrccbl2_cloud-hypervisor-cvm_38.0.72.2-1_on_cbl_mariner_2.0
msrccbl2_hvloader_1.0.1-5_on_cbl_mariner_2.0
msrccbl2_hvloader_1.0.1-6_on_cbl_mariner_2.0
msrccbl2_nodejs18_18.18.2-7_on_cbl_mariner_2.0
msrccbl2_openssl_1.1.1k-30_on_cbl_mariner_2.0
msrccbl2_openssl_1.1.1k-36_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
opensslopenssl>= 0 < 3.0.12-r53.0.12-r5
opensslopenssl>= 0 < 3.1.4-r63.1.4-r6
opensslopenssl>= 0 < 3.1.4-r63.1.4-r6
opensslopenssl>= 0 < 3.2.1-r23.2.1-r2
opensslopenssl>= 0 < 3.2.1-r23.2.1-r2

Detection & IOCsextracted from sources · hover to see the quote

  • Target servers must have TLSv1.3 enabled with the non-default SSL_OP_NO_TICKET option set; detect exploitation by monitoring for unbounded/continuous growth of the TLS session cache on the server process.
  • Only TLS servers (not clients) running TLSv1.3 are affected; scope detection/monitoring to server-side OpenSSL processes with TLSv1.3 session handling.
  • A malicious client can deliberately and repeatedly trigger the session cache corruption to force DoS; monitor for abnormal memory growth in OpenSSL-linked server processes accepting TLSv1.3 connections.
  • ·Vulnerability is only triggered when the non-default SSL_OP_NO_TICKET option is enabled on the TLS server; servers using default ticket-based session resumption are NOT vulnerable.
  • ·OpenSSL 1.0.2 and the FIPS modules in versions 3.0, 3.1, and 3.2 are NOT affected; focus detection on OpenSSL 1.1.x and 3.x non-FIPS builds.
  • ·If early_data support is configured alongside SSL_OP_NO_TICKET and the default anti-replay protection is active, the vulnerability does NOT apply.
  • ·Red Hat Enterprise Linux 7 (OpenSSL 1.0.2) is confirmed not affected; RHEL 8 and 9 fixes are deferred — treat those systems as unpatched until updated.

CVSS provenance

nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.4HIGH
vendor_oracle7.5MEDIUM
vendor_ubuntu7.4HIGH
vendor_debian5.9MEDIUM
vendor_msrc5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.