CVE-2024-5535 Overview
The CVE-2024-5535 vulnerability affects the OpenSSL library, specifically the SSL_select_next_proto function in scenarios where an empty client protocols buffer is provided. This condition can lead to either a crash or inadvertent disclosure of memory contents, posing a critical risk of exposing confidential information.
Critical Impact
Memory overread may expose up to 255 bytes of memory, potentially leading to information leakage.
Affected Products
- OpenSSL (any application directly invoking SSL_select_next_proto with zero-length protocol list)
- Not Available
- Not Available
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to Not Available
- Not Available - CVE CVE-2024-5535 assigned
- Not Available - Not Available releases security patch
- 2024-06-27 - CVE CVE-2024-5535 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-5535
Vulnerability Analysis
The vulnerability resides in the SSL_select_next_proto function of OpenSSL, which is primarily utilized in ALPN or NPN contexts. It fails to handle cases where a zero-length client protocol list is provided, resulting in a buffer overread and exposure of adjacent memory contents.
Root Cause
The issue arises from the function not validating a zero-length client protocol list, leading to the return of memory beyond the list pointer and potential exposure of sensitive data.
Attack Vector
Exploitable remotely over a network, primarily requiring a configuration or programming error in the application using OpenSSL's SSL_select_next_proto function.
// Example exploitation code (sanitized)
unsigned char *output;
unsigned int outlen;
SSL_select_next_proto(&output, &outlen, server_protocols, server_protocols_len, client_protocols, 0);
Detection Methods for CVE-2024-5535
Indicators of Compromise
- Unexpected application crashes
- Memory dump analysis showing remnants of non-application data
- Unusual network packets containing outbound sensitive data
Detection Strategies
Utilize network monitoring tools to identify anomalies in data exchanged during TLS/SSL handshakes. Implement logging to capture unexpected application behavior that may indicate exploitation attempts.
Monitoring Recommendations
Monitor incoming and outgoing network traffic for unusual or unexpected protocol activities. Leverage SentinelOne's behavior-based detection to flag abnormal use of OpenSSL functions in applications.
How to Mitigate CVE-2024-5535
Immediate Actions Required
- Verify application code to ensure non-zero lengths are passed to SSL_select_next_proto
- Employ rigorous input validation for all OpenSSL API calls
- Enable verbose logging to detect any runtime anomalies
Patch Information
While no immediate patches are available due to the low severity classification, future OpenSSL releases will incorporate the fix.
Workarounds
Configure your applications to strictly adhere to ALPN use where possible, as it inherently avoids zero-length client protocol lists.
# Configuration example
export ALPN_ENABLED=true
export OPENSSL_CONF=/path/to/openssl.cnf
# Workaround to ensure non-zero client protocol list
if [[ -z "$CLIENT_PROTOS" ]]; then
echo "Error: Client protocols list cannot be empty"
exit 1
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
