OpenSSL has patched CVE-2024-12797, a high-severity vulnerability found by Apple that can allow man-in-the-middle attacks.
February 11, 2025 By Eduard Kovacs
The OpenSSL Project on Tuesday announced patches for the first high-severity vulnerability seen in the secure communications library in two years.
The vulnerability, tracked as CVE-2024-12797, was reported to OpenSSL developers by Apple in mid-December 2024.
The issue is related to clients using RFC7250 raw public keys (RPKs) to authenticate a server. CVE-2024-12797 was introduced in OpenSSL 3.2 with the implementation of RPK support.
Because handshakes don’t abort as expected when the ‘SSL_VERIFY_PEER’ verification mode is set, impacted clients could fail to notice that the server has not been authenticated.
If the authentication failure is not identified by the client, man-in-the-middle (MitM) attacks may be possible against TLS and DTLS connections that use RPKs.
