OpenSSL bug exposed up to 255 bytes of server heap and existed since 2011
CVE-2024-5535 is a historical OpenSSL vulnerability allowing buffer overreads, affecting Python and Node.js versions up to 3.9 and 9, respectively. Users should review usage of `SSL_select_next_proto`.
Read original article
CVE-2024-5535 is a vulnerability in OpenSSL that has existed since 2011, allowing a buffer overread in the `SSL_select_next_proto` function. This issue can lead to the unintentional transmission of up to 255 bytes of a client's heap memory to a server when certain conditions are met, specifically when the server supports Next Protocol Negotiation (NPN). The vulnerability affects Python versions up to 3.9 and Node.js versions up to 9, as well as all versions of OpenSSL 1.0.x, 1.1.x, and 3.x. Although NPN was abandoned in 2012 and is rarely used in modern servers, the potential for exploitation exists in legacy systems. The timeline of the vulnerability's discovery includes various reports and acknowledgments from the OpenSSL project and related parties, culminating in the assignment of CVE-2024-5535 and a low severity rating. The vulnerability was confirmed to have affected Android until 2014. The discovery of this bug highlights the inadequacy of previous audits and analyses in identifying the issue earlier. Users of affected software are advised to review their historical usage of `SSL_select_next_proto` and consider rolling any secrets that may have been exposed. The vulnerability's impact is primarily historical, as newer versions of Python and Node.js have removed NPN support, reducing the likelihood of exploitation in current applications.
Related
A buffer overflow in the XNU kernel
CVE-2024-27815 is a buffer overflow bug in XNU kernel affecting macOS, iOS, and visionOS. Apple swiftly released xnu-10063.121.3 to fix the issue, impacting kernels with CONFIG_MBUF_MCACHE. The bug allows attackers to trigger a crash by copying data beyond allocated space.
OpenSSL CVE-2024-5535: `SSL_select_next_proto` buffer overread
A bug, CVE-2024-5535, in OpenSSL since 2011 allows heap data leakage. Impacts Python <= 3.9, Node.js <= 9. NPN support removal in newer versions reduces risk. Bug affects SSL_select_next_proto in OpenSSL, BoringSSL, LibreSSL. Memory safety risks demand caution and updates.
CVE-2021-4440: A Linux CNA Case Study
The Linux CNA mishandled CVE-2021-4440 in the 5.10 LTS kernel, causing information leakage and KASLR defeats. The issue affected Debian Bullseye and SUSE's 5.3.18 kernel, resolved in version 5.10.218.
RegreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems
A vulnerability in OpenSSH's server on glibc-based Linux systems (CVE-2024-6387) allows remote code execution. Exploiting this flaw requires precise timing. The advisory discusses exploitation details, success rates, and contacting developers for related issues.
The Wild West of Proof of Concept Exploit Code (PoC)
CVE-2024-6387 is a serious unauthenticated remote code execution vulnerability in OpenSSH, with complex exploitation requiring knowledge of system architecture. The exploit code contains malicious elements, emphasizing risks of untrusted code.
7 commentsWhen SPDY, the precursor of HTTP/2, got introduced, it needed a mechanism to signal that within TLS, a different protocol (SPDY instead of HTTP/1.1) was spoken. That mechanism was originally NPN. I don't know the exact details and motivation, but eventually people seem to have decided that NPN wasn't exactly what they wanted, and they invented a new mechanism called ALPN.
Now, that was a decade ago (the ALPN RFC is from 2014), so the question is: why do we still have NPN code in OpenSSL? I don't think anyone uses it any more. Shouldn't it have been removed long ago?
To put this in a larger context: it appears to me that OpenSSL still has a strong tendency to bloat. Heartbleed was essentially a "we added this feature, although noone knows why we need it" kind of bug, but it doesn't look to me they've changed. I still get the feeling that OpenSSL adds many features that they probably just should ignore (e.g. obscure "not invented here"-type algorithms), and they don't remove features that are obsolete.
The post: "Silently sends up to 255 bytes of the client’s heap to the server."
The implementation is incredibly simple. Treat all blocks of memory as blob with a known size and then read/write into those blobs with a cursor to track progress and bounds checks on every access. Fence all serialization/deserialization through a safe low level interface. Not only do you get memory safety (which we later proved using formal reasoning) ... but when you're parsing message formats it lends itself to a declarative coding style that makes it very clear what the structure is. You can also do lifecycle things, like erasing sensitive memory with zeroes when you're done with it, making sure things don't show up in core dumps, etc. BoringSSL introduced a Crypto_bytes API that also did some of this plus bounds checking, and retrofit it into OpenSSL.
OpenSSL on the other hand is a horrific mash up of raw pointer arithmetic, ad-hoc parsers interleaved with business logic and control flow. I could never keep it straight, and it always scared me to review.
> Meeting those constraints is quite unlikely nowadays:
> NPN is a precursor to ALPN and was abandoned in 2012. It is very uncommon on internet servers now.
> Node.js 10 and later removed NPN support, and is well past end-of-life.
> Python 3.10 and later removed NPN support.
OpenSSL advisory: https://openssl-library.org/news/secadv/20240627.txt
> Severity: Low
> Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.
BoringSSL fix: https://boringssl.googlesource.com/boringssl/+/c1d9ac02514a1...
The heap leak was independently observed in 2014 in the Android okhttp library: https://github.com/square/okhttp/issues/437#issuecomment-358...
That's what I doubt at all. I rather trust the compilers than the openssl devs.
Related
A buffer overflow in the XNU kernel
CVE-2024-27815 is a buffer overflow bug in XNU kernel affecting macOS, iOS, and visionOS. Apple swiftly released xnu-10063.121.3 to fix the issue, impacting kernels with CONFIG_MBUF_MCACHE. The bug allows attackers to trigger a crash by copying data beyond allocated space.
OpenSSL CVE-2024-5535: `SSL_select_next_proto` buffer overread
A bug, CVE-2024-5535, in OpenSSL since 2011 allows heap data leakage. Impacts Python <= 3.9, Node.js <= 9. NPN support removal in newer versions reduces risk. Bug affects SSL_select_next_proto in OpenSSL, BoringSSL, LibreSSL. Memory safety risks demand caution and updates.
CVE-2021-4440: A Linux CNA Case Study
The Linux CNA mishandled CVE-2021-4440 in the 5.10 LTS kernel, causing information leakage and KASLR defeats. The issue affected Debian Bullseye and SUSE's 5.3.18 kernel, resolved in version 5.10.218.
RegreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems
A vulnerability in OpenSSH's server on glibc-based Linux systems (CVE-2024-6387) allows remote code execution. Exploiting this flaw requires precise timing. The advisory discusses exploitation details, success rates, and contacting developers for related issues.
The Wild West of Proof of Concept Exploit Code (PoC)
CVE-2024-6387 is a serious unauthenticated remote code execution vulnerability in OpenSSH, with complex exploitation requiring knowledge of system architecture. The exploit code contains malicious elements, emphasizing risks of untrusted code.