CVE-2024-6119 Overview
Applications performing certificate name checks, such as TLS clients checking server certificates, may attempt to read an invalid memory address. This could lead to the abnormal termination of the application process, resulting in a denial of service.
Critical Impact
Applications may terminate unexpectedly when handling X.509 certificates if they attempt to verify an otherName subject alternative name.
Affected Products
- OpenSSL OpenSSL
- NetApp Active IQ Unified Manager
- NetApp Management Services for Element Software and NetApp HCI
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to OpenSSL
- Not Available - CVE CVE-2024-6119 assigned
- Not Available - OpenSSL releases security patch
- 2024-09-03T16:15:07.177 - CVE CVE-2024-6119 published to NVD
- 2025-06-03T10:51:54.117 - Last updated in NVD database
Technical Details for CVE-2024-6119
Vulnerability Analysis
This vulnerability arises from an improper handling of otherName subject alternative names in X.509 certificate name verifications. When an application specifies an expected DNS name, email address, or IP address, it might access invalid memory if these attributes contain otherName fields.
Root Cause
The issue is due to faulty memory handling during the comparison of expected names with otherName values in certificates, leading to potential invalid memory access and process crashes.
Attack Vector
The attack vector is network-based, exploiting TLS client behavior when interacting with a malicious or improperly configured server.
// Example exploitation code (sanitized)
try {
// Name verification logic
if (certificate.containsOtherName()) {
compareNames(expectedName, certificate.otherName);
}
} catch (const std::exception &e) {
terminateProcess();
}
Detection Methods for CVE-2024-6119
Indicators of Compromise
- Unexpected application crashes or terminations
- Log entries related to certificate verification failures
- Anomalies in TLS traffic patterns
Detection Strategies
Monitor for application crashes that correlate with certificate name verification processes. Implement additional logging for certificate validation procedures to capture any occurrences of invalid memory access.
Monitoring Recommendations
Set up alerts for abnormal application terminations in environments with high TLS traffic, and log DNS, email, or IP name verification failures.
How to Mitigate CVE-2024-6119
Immediate Actions Required
- Update to the latest version of OpenSSL
- Review and apply vendor security patches
- Disable otherName verifications in critical environments where possible
Patch Information
Refer to the following OpenSSL patches to address the issue:
Workarounds
Disable certificate name checks or only allow strict DNS, email, or IP verifications without otherName fields.
# Configuration example
openssl
req_extensions = v3_req
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
# only include DNS, IP addresses
DNS.1 = example.com
IP.1 = 192.0.2.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
