CVE-2024-45402 Overview
CVE-2024-45402 is a double free vulnerability affecting Picotls, a TLS protocol library that allows users to select different crypto backends based on their use case. When parsing a spoofed TLS handshake message, picotls (specifically, bindings within picotls that call the crypto libraries) may attempt to free the same memory twice. This double free occurs during the disposal of multiple objects without any intervening calls to malloc.
Typically, this triggers the malloc implementation to detect the error and abort the process. However, depending on the internals of malloc and the crypto backend being used, the flaw could potentially lead to a use-after-free scenario, which might allow for arbitrary code execution.
Critical Impact
This vulnerability enables remote attackers to exploit a double free condition in TLS handshake processing, potentially leading to denial of service or arbitrary code execution without requiring authentication or user interaction.
Affected Products
- Dena Picotls (all versions prior to patch commit 9b88159ce763d680e4a13b6e8f3171ae923a535d)
Discovery Timeline
- October 11, 2024 - CVE-2024-45402 published to NVD
- November 12, 2024 - Last updated in NVD database
Technical Details for CVE-2024-45402
Vulnerability Analysis
This vulnerability (CWE-415: Double Free) stems from improper memory management in the picotls library's crypto backend bindings. When processing malformed or spoofed TLS handshake messages, the library may invoke free() on the same memory address twice during the cleanup of cryptographic key exchange contexts.
The double free condition occurs because the key exchange callback function (on_exchange) does not properly clear pointers after freeing associated memory. When an error condition is encountered, the cleanup path attempts to free objects that have already been deallocated, corrupting the heap metadata.
While most modern malloc implementations (such as glibc's ptmalloc) detect double free conditions and terminate the process with an error, certain configurations or alternative allocators may not provide this protection. In such scenarios, the double free could lead to heap corruption, creating conditions for use-after-free exploitation and potentially enabling arbitrary code execution.
Root Cause
The root cause lies in the on_exchange callback implementation within the crypto backend bindings. When the key exchange operation fails validation (for example, when detecting an all-zeros shared secret indicating an incompatible key), the memory allocated for the secret is freed, but the pointer is not set to NULL. If the caller or subsequent error handling code attempts to free this pointer again during cleanup, a double free occurs.
The fix introduces proper pointer nullification after freeing memory and ensures that upon failure, both pubkey and secret structures either remain unchanged or are explicitly zero-cleared, preventing double deallocation.
Attack Vector
An attacker can exploit this vulnerability remotely over the network by sending specially crafted TLS handshake messages to a server or client using the vulnerable picotls library. The attack does not require authentication or user interaction. By crafting malicious key exchange parameters that trigger the failure path in the crypto bindings, an attacker can cause the double free condition.
The following code shows the security patch that addresses the vulnerability:
* When `secret` is non-NULL, this callback derives the shared secret using the private key of the context and the peer key being
* given, and sets the value in `secret`. The memory pointed to by `secret->base` must be freed by the caller by calling `free`.
* When `release` is set, the callee frees resources allocated to the context and set *keyex to NULL.
+ * Upon failure (i.e., when an PTLS error code is returned), `*pubkey` and `*secret` either remain unchanged or are zero-cleared.
*/
int (*on_exchange)(struct st_ptls_key_exchange_context_t **keyex, int release, ptls_iovec_t *secret, ptls_iovec_t peerkey);
} ptls_key_exchange_context_t;
Source: GitHub Commit
The specific fix in the x25519 crypto backend implementation:
static const uint8_t zeros[X25519_KEY_SIZE] = {0};
if (ptls_mem_equal(secret->base, zeros, sizeof(zeros))) {
free(secret->base);
+ secret->base = NULL;
return PTLS_ERROR_INCOMPATIBLE_KEY;
}
Source: GitHub Commit
Detection Methods for CVE-2024-45402
Indicators of Compromise
- Abnormal TLS handshake failures or connection resets with applications using picotls
- Unexpected process crashes with heap corruption or double free error messages
- Core dumps indicating malloc-related assertions in applications linked against picotls
- Unusual patterns of malformed TLS ClientHello or ServerHello messages in network traffic
Detection Strategies
- Deploy memory safety tools such as AddressSanitizer (ASan) in development and staging environments to detect double free conditions
- Monitor application logs for PTLS_ERROR_INCOMPATIBLE_KEY errors occurring at unusual rates
- Implement network-level TLS inspection to identify anomalous handshake patterns indicative of exploitation attempts
- Use SentinelOne's real-time behavioral analysis to detect heap corruption exploitation attempts
Monitoring Recommendations
- Enable verbose logging for TLS handshake operations in applications using picotls
- Monitor for segmentation faults or SIGABRT signals in processes utilizing the picotls library
- Track network connections that exhibit repeated TLS handshake failures from the same source
- Configure alerting for unusual process terminations in services dependent on picotls
How to Mitigate CVE-2024-45402
Immediate Actions Required
- Update picotls to a version containing commit 9b88159ce763d680e4a13b6e8f3171ae923a535d or later
- Rebuild all applications statically linked against the vulnerable picotls library
- Review dependent projects (such as H2O web server) for updates addressing this vulnerability
- Temporarily isolate vulnerable services behind additional network security controls if immediate patching is not possible
Patch Information
The vulnerability is addressed in commit 9b88159ce763d680e4a13b6e8f3171ae923a535d. Organizations should update to a version of picotls that includes this fix. For detailed patch information, refer to the GitHub Security Advisory and the GitHub Commit.
Workarounds
- If updating is not immediately feasible, consider deploying the application with hardened malloc implementations (such as jemalloc or tcmalloc with additional checks) that may abort more reliably on double free attempts
- Implement network-level filtering to block malformed TLS handshake messages from untrusted sources
- Use a Web Application Firewall (WAF) or TLS termination proxy with known-safe TLS implementations in front of vulnerable services
- Enable process-level sandboxing to limit the impact of potential code execution
# Verify picotls version and rebuild with patched source
git clone https://github.com/h2o/picotls.git
cd picotls
git checkout 9b88159ce763d680e4a13b6e8f3171ae923a535d
git submodule update --init --recursive
cmake -B build
cmake --build build
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
