CVE-2024-53846 in otp
Summary
by MITRE • 12/05/2024
OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying the peer when incorrect extended key usage is presented (i.e., a server will verify a client if they have server auth ext key usage and vice versa).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/24/2025
The vulnerability identified as CVE-2024-53846 represents a critical security flaw within the Erlang Open Telecom Platform that affects the ssl application across multiple OTP versions. This regression specifically impacts the certificate validation process, creating a scenario where peer authentication mechanisms fail to properly enforce extended key usage constraints. The vulnerability was introduced in OTP releases starting from version 25.3.2.8, 26.2, and 27.0, indicating a widespread impact across the Erlang ecosystem. The core issue lies in the improper handling of extended key usage validation during SSL/TLS certificate verification processes, which undermines the fundamental security assurances that certificate-based authentication should provide.
The technical flaw manifests when the ssl application incorrectly validates peer certificates by not properly enforcing extended key usage constraints during the certificate verification process. In normal operation, servers and clients should verify that certificates presented by peers contain appropriate extended key usage extensions that match their intended role in the communication. However, this vulnerability allows a server to accept a client certificate that contains server authentication extended key usage, or conversely, allows a client to accept a server certificate that contains client authentication extended key usage. This represents a fundamental breakdown in the certificate validation logic that violates established security principles and can lead to unauthorized authentication scenarios. The flaw operates at the application layer within the ssl application of OTP, making it particularly dangerous as it affects the core security mechanisms of SSL/TLS communication.
The operational impact of this vulnerability is severe and far-reaching across systems utilizing OTP versions affected by this regression. Attackers could exploit this weakness to perform man-in-the-middle attacks by presenting certificates with incorrect extended key usage, potentially allowing unauthorized access to services that rely on certificate-based authentication. The vulnerability affects both server and client implementations within the ssl application, meaning that any system using OTP for secure communications could be compromised. This creates a significant risk for applications that depend on proper certificate validation to maintain security boundaries, including web servers, database connections, and any other services that utilize SSL/TLS with certificate authentication. The regression essentially weakens the security model that certificate-based authentication is designed to provide, making it possible for malicious actors to bypass authentication mechanisms through carefully crafted certificate presentations.
Organizations utilizing OTP versions affected by CVE-2024-53846 should immediately prioritize updating to patched releases that address this regression in the ssl application. The mitigation strategy should include comprehensive testing of all systems that rely on certificate-based authentication to ensure proper extended key usage validation is restored. Security teams should conduct thorough audits of their certificate management practices and verify that all certificate validation processes are functioning correctly. Additionally, monitoring should be implemented to detect any anomalous certificate validation behavior that might indicate exploitation attempts. This vulnerability aligns with CWE-295, which addresses improper certificate validation, and represents a significant concern under ATT&CK technique T1552.001, focusing on credentials from password storage. The security implications extend beyond immediate authentication bypasses to potentially enabling broader access to systems and data that depend on proper certificate validation for security boundaries.