CVE-2024-5535
📋 TL;DR
This OpenSSL vulnerability allows up to 255 bytes of arbitrary private memory data to be sent to a peer when SSL_select_next_proto is called with an empty client protocols buffer. Only applications that directly call this function with a zero-length protocol list are affected, which typically requires a configuration or programming error. The issue primarily impacts applications using deprecated NPN rather than ALPN.
💻 Affected Systems
- OpenSSL
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Up to 255 bytes of sensitive memory contents (potentially containing private keys, session data, or other secrets) are transmitted to a peer, leading to data breach and loss of confidentiality.
Likely Case
Application crash or unexpected behavior due to buffer overread; actual data leakage requires specific configuration errors and use of deprecated NPN.
If Mitigated
No impact if applications use ALPN correctly or avoid calling SSL_select_next_proto with empty protocol lists.
🎯 Exploit Status
Exploitation requires application programming/configuration errors and use of deprecated NPN. Not typically under attacker control.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not yet released (will be included in next OpenSSL releases)
Vendor Advisory: https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37
Restart Required: Yes
Instructions:
1. Monitor OpenSSL releases for fix inclusion. 2. Update to fixed version when available. 3. Restart affected services after patching.
🔧 Temporary Workarounds
Disable NPN usage
allConfigure applications to use ALPN instead of deprecated NPN protocol negotiation
Application-specific configuration - consult your application documentation
Validate protocol lists
allEnsure applications never call SSL_select_next_proto with empty protocol lists
Code review and validation of SSL_select_next_proto calls
🧯 If You Can't Patch
- Audit applications for SSL_select_next_proto usage and ensure proper protocol list validation
- Migrate from NPN to ALPN for all TLS protocol negotiation
🔍 How to Verify
Check if Vulnerable:
Review application source code for calls to SSL_select_next_proto and check if client_len parameter could be zeroCheck Version:
openssl versionVerify Fix Applied:
Check OpenSSL version after update and verify SSL_select_next_proto implementation in source code📡 Detection & Monitoring
Log Indicators:
- Application crashes related to SSL/TLS handshakes
- Unexpected protocol negotiation failures
Network Indicators:
- Unusual data patterns in TLS handshake packets
- NPN protocol usage instead of ALPN
SIEM Query:
Search for application errors containing 'SSL_select_next_proto' or 'buffer overread' in error logs🔗 References
- https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37
- https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e
- https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c
- https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c
- https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c
- https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87
- https://www.openssl.org/news/secadv/20240627.txt
- http://www.openwall.com/lists/oss-security/2024/06/27/1
- http://www.openwall.com/lists/oss-security/2024/06/28/4
- http://www.openwall.com/lists/oss-security/2024/08/15/1
- https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37
- https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e
- https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c
- https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c
- https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c
- https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87
- https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html
- https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html
- https://security.netapp.com/advisory/ntap-20240712-0005/
- https://security.netapp.com/advisory/ntap-20241025-0006/
- https://security.netapp.com/advisory/ntap-20241025-0010/
- https://www.openssl.org/news/secadv/20240627.txt
