cbcvebase.
CVE-2024-5535
published 2024-06-27

CVE-2024-5535: Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to…

PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
5.58%
91.9th percentile
Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl

Affected

45 ranges· showing 25
VendorProductVersion rangeFixed in
debianopenssl< openssl 3.0.15-1~deb12u1 (bookworm)openssl 3.0.15-1~deb12u1 (bookworm)
debianpypy3< pypy3 7.3.10+dfsg-1 (bookworm)pypy3 7.3.10+dfsg-1 (bookworm)
debianpython2.7< pypy3 7.3.10+dfsg-1 (bookworm)pypy3 7.3.10+dfsg-1 (bookworm)
debianpython3.11< pypy3 7.3.10+dfsg-1 (bookworm)pypy3 7.3.10+dfsg-1 (bookworm)
debianpython3.13< pypy3 7.3.10+dfsg-1 (bookworm)pypy3 7.3.10+dfsg-1 (bookworm)
debianpython3.9< pypy3 7.3.10+dfsg-1 (bookworm)pypy3 7.3.10+dfsg-1 (bookworm)
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrcmicrosoft_defender_for_endpoint_for_android
msrcmicrosoft_defender_for_endpoint_for_ios
opensslopenssl>= 0 < 3.0.14-r03.0.14-r0
opensslopenssl>= 0 < 3.1.6-r03.1.6-r0
opensslopenssl>= 0 < 3.1.6-r03.1.6-r0
opensslopenssl>= 0 < 3.3.1-r13.3.1-r1
opensslopenssl>= 0 < 3.3.1-r13.3.1-r1
opensslopenssl>= 0 < 3.3.1-r13.3.1-r1
opensslopenssl>= 0 < 3.3.1-r13.3.1-r1
opensslopenssl>= 0 < 1.1.1w-0+deb11u21.1.1w-0+deb11u2
opensslopenssl>= 0 < 3.0.15-1~deb12u13.0.15-1~deb12u1
opensslopenssl>= 0 < 3.3.2-13.3.2-1
opensslopenssl>= 0 < 3.3.2-13.3.2-1
opensslopenssl>= 0 < 1.1.1f-1ubuntu2.231.1.1f-1ubuntu2.23
opensslopenssl>= 0 < 3.0.2-0ubuntu1.173.0.2-0ubuntu1.17

Detection & IOCsextracted from sources · hover to see the quote

  • Detect calls to SSL_select_next_proto with a zero-length client protocol list (client_len == 0), which triggers the buffer overread condition
  • Flag TLS applications using NPN (Next Protocol Negotiation) callbacks where SSL_select_next_proto is invoked with a client_len of 0, as this leads to an invalid memory pointer being returned and potential memory disclosure
  • In Python/CPython environments, detect use of SSLContext.set_npn_protocols() configured with an empty list ('[]'), which passes a zero-length buffer to the underlying OpenSSL SSL_select_next_proto API
  • Monitor for up to 255 bytes of arbitrary memory being transmitted to a TLS peer during ALPN/NPN negotiation, which may indicate exploitation of this buffer overread
  • ·Only applications that directly call SSL_select_next_proto with a zero-length client protocol list are vulnerable; this is typically a misconfiguration or programming error, not a condition under attacker control
  • ·ALPN-based applications are significantly less likely to be vulnerable because libssl guarantees the client-supplied protocol list is never zero-length in ALPN; NPN-based applications are the primary risk
  • ·The FIPS modules in OpenSSL versions 3.3, 3.2, 3.1, and 3.0 are not affected by this issue
  • ·The shim and shim-unsigned-x64 packages are not impacted because the affected OpenSSL code path is not utilized by those packages

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_msrc9.1CRITICAL
vendor_oracle9.1CRITICAL
vendor_redhat9.1CRITICAL
vendor_ubuntu7.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.