SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2024-6119

CVE-2024-6119: OpenSSL Certificate Name Check DOS Flaw

CVE-2024-6119 is a denial of service vulnerability in OpenSSL that causes abnormal application termination during certificate name checks. This article covers the technical details, affected systems, and mitigation strategies.

Updated:

CVE-2024-6119 Overview

Applications performing certificate name checks, such as TLS clients checking server certificates, may attempt to read an invalid memory address. This could lead to the abnormal termination of the application process, resulting in a denial of service.

Critical Impact

Applications may terminate unexpectedly when handling X.509 certificates if they attempt to verify an otherName subject alternative name.

Affected Products

  • OpenSSL OpenSSL
  • NetApp Active IQ Unified Manager
  • NetApp Management Services for Element Software and NetApp HCI

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to OpenSSL
  • Not Available - CVE CVE-2024-6119 assigned
  • Not Available - OpenSSL releases security patch
  • 2024-09-03T16:15:07.177 - CVE CVE-2024-6119 published to NVD
  • 2025-06-03T10:51:54.117 - Last updated in NVD database

Technical Details for CVE-2024-6119

Vulnerability Analysis

This vulnerability arises from an improper handling of otherName subject alternative names in X.509 certificate name verifications. When an application specifies an expected DNS name, email address, or IP address, it might access invalid memory if these attributes contain otherName fields.

Root Cause

The issue is due to faulty memory handling during the comparison of expected names with otherName values in certificates, leading to potential invalid memory access and process crashes.

Attack Vector

The attack vector is network-based, exploiting TLS client behavior when interacting with a malicious or improperly configured server.

cpp
// Example exploitation code (sanitized)
try {
    // Name verification logic
    if (certificate.containsOtherName()) {
        compareNames(expectedName, certificate.otherName);
    }
} catch (const std::exception &e) {
    terminateProcess();
}

Detection Methods for CVE-2024-6119

Indicators of Compromise

  • Unexpected application crashes or terminations
  • Log entries related to certificate verification failures
  • Anomalies in TLS traffic patterns

Detection Strategies

Monitor for application crashes that correlate with certificate name verification processes. Implement additional logging for certificate validation procedures to capture any occurrences of invalid memory access.

Monitoring Recommendations

Set up alerts for abnormal application terminations in environments with high TLS traffic, and log DNS, email, or IP name verification failures.

How to Mitigate CVE-2024-6119

Immediate Actions Required

  • Update to the latest version of OpenSSL
  • Review and apply vendor security patches
  • Disable otherName verifications in critical environments where possible

Patch Information

Refer to the following OpenSSL patches to address the issue:

Workarounds

Disable certificate name checks or only allow strict DNS, email, or IP verifications without otherName fields.

bash
# Configuration example
openssl
    req_extensions = v3_req
    [ v3_req ]
    subjectAltName = @alt_names
    [ alt_names ]
    # only include DNS, IP addresses
    DNS.1 = example.com
    IP.1 = 192.0.2.1

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne