Full Report
Google has revealed that its AI-powered fuzzing tool, OSS-Fuzz, has been used to help identify 26 vulnerabilities in various open-source code repositories, including a medium-severity flaw in the OpenSSL cryptographic library. "These particular vulnerabilities represent a milestone for automated vulnerability finding: each was found with AI, using AI-generated and enhanced fuzz targets,"
Analysis Summary
# Vulnerability: OpenSSL Out-of-Bounds Memory Write Found by AI Fuzzing
## CVE Details
- CVE ID: CVE-2024-9143
- CVSS Score: 4.3 (Medium)
- CWE: Out-of-bounds Write (Implied by description)
## Affected Systems
- Products: OpenSSL cryptographic library
- Versions: All versions prior to the released patches (specific vulnerable versions not listed in detail, but existing for two decades).
- Configurations: Any application linking to the vulnerable OpenSSL libraries.
## Vulnerability Description
The vulnerability is an Out-of-Bounds (OOB) memory write bug found within the OpenSSL codebase. If successfully exploited, it could lead to an application crash or potentially allow for Remote Code Execution (RCE). Google noted this flaw had likely persisted in the codebase for two decades and was difficult to find using human-written fuzz targets.
## Exploitation
- Status: Status not explicitly confirmed as exploited in the wild, but PoC discovery by an automated tool implies exploitability.
- Complexity: Medium (Implied by potential for RCE, though the initial discovery utilized advanced AI fuzzing).
- Attack Vector: Network (Implied by the nature of cryptographic library vulnerabilities often being triggered remotely).
## Impact
- Confidentiality: Potential loss if RCE is achieved.
- Integrity: Potential loss if RCE is achieved.
- Availability: High (Application crash is possible).
## Remediation
### Patches
- OpenSSL version **3.3.3**
- OpenSSL version **3.2.4**
- OpenSSL version **3.1.8**
- OpenSSL version **3.0.16**
- OpenSSL version **1.1.1zb**
- OpenSSL version **1.0.2zl**
### Workarounds
- No specific workarounds were detailed in the provided text, other than immediate patching.
## Detection
- Detection methods are not explicitly detailed, but based on the nature of the bug (OOB write), standard memory corruption detection tools and runtime integrity checks should be monitored. Indicators of compromise would likely involve application crashes or unexpected memory access/write patterns related to SSL/TLS processing functions.
## References
- Vendor Advisory: hxxps://openssl-library.org/news/secadv/20241016.txt
- Google Blog Post (OSS-Fuzz context): hxxps://security.googleblog.com/2024/11/leveling-up-fuzzing-finding-more.html