CVE-2024-5535

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to the next release (exact version not specified) CPython version 3.9 and earlier

Description The issue is related to the OpenSSL API function SSL select next proto which can cause a crash or memory contents to be sent to the peer when called with an empty supported client protocols buffer. This can result in a loss of confidentiality, with up to 255 bytes of arbitrary private data from memory being sent to the peer. The issue is typically not under attacker control and may occur by accident due to a configuration or programming error in the calling application. The SSL select next proto function is used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation), with NPN being older and deprecated in favor of ALPN.

Recommendations For OpenSSL versions prior to the next release, there is no information about a newer version that contains a fix for this vulnerability. For CPython version 3.9 and earlier, ensure that SSLContext.set npn protocols() is not configured with an empty list to prevent the buffer over-read issue. As a temporary workaround, consider disabling the use of NPN in favor of ALPN to minimize the risk of exploitation. Restrict access to the SSL select next proto function to prevent accidental calls with empty client protocol buffers. Avoid using the client len parameter with a value of 0 when calling the SSL select next proto function.

Note: At the moment, there is no information about a newer version that contains a fix for this vulnerability.