7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-4741

GHSA ID

GHSA-6vgq-8qjq-h578

EPSS Score

0.26597%

CWE

CWE-416

Published

11/13/2024

Updated

11/13/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-4741

CVE-2024-4741: Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed...

Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations

Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications.

The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use.

The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use.

The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use.

While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-4741

GHSA ID

GHSA-6vgq-8qjq-h578

EPSS Score

0.26597%

CWE

CWE-416

Published

11/13/2024

Updated

11/13/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (CVE-2024-4741) is a use-after-free caused by calling SSL_free_buffers when underlying buffers are still in use. The analysis of the provided patches confirms this:

Commits 704f725b96aa373ee45ecfb23f6abfe8be8d9177 and b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d directly modify SSL_free_buffers in ssl/ssl_lib.c by adding a new check (RECORD_LAYER_data_present) before allowing buffers to be released. This directly points to SSL_free_buffers as the API function whose previous implementation was vulnerable.
Commits c88c3de51020c37e8706bf7a682a162593053aac and e5093133c35ca82874ad83697af76f4b0f7e3bd8 modify tls_free_buffers in ssl/record/methods/tls_common.c. This function handles the lower-level details of freeing buffers. The patch tightens the conditions under which buffers are freed, specifically checking if all records have been released (rl->curr_rec != rl->num_released) and if the state is SSL_ST_READ_BODY. This indicates that the previous logic in tls_free_buffers was insufficient and contributed to the UAF when SSL_free_buffers was invoked.

The vulnerability description clearly states that applications calling SSL_free_buffers are affected. The patches show that this function, and its underlying helper tls_free_buffers, lacked proper checks, leading to the vulnerability. The newly added function RECORD_LAYER_data_present is part of the mitigation, not the vulnerability itself.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Issu* summ*ry: **llin* t** Op*nSSL *PI *un*tion SSL_*r**_*u***rs m*y **us* m*mory to ** ****ss** t**t w*s pr*viously *r*** in som* situ*tions Imp**t summ*ry: * us* **t*r *r** **n **v* * r*n** o* pot*nti*l *ons*qu*n**s su** *s t** *orruption o* v*li*

Reasoning

T** vuln*r**ility (*V*-****-****) is * us*-**t*r-*r** **us** *y **llin* SSL_*r**_*u***rs w**n un**rlyin* *u***rs *r* still in us*. T** *n*lysis o* t** provi*** p*t***s *on*irms t*is: *. *ommits **************************************** *n* ***********

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-4741: Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed...

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI