The OSS-Fuzz project has reported a vulnerability, CVE-2024-9143, in OpenSSL discovered by the subproject OSS-Fuzz-Gen. There is a possibility that it could lead to remote code execution, although attacking it may prove difficult. What makes this vulnerability unique is that it is the first CVE identified by OSS-Fuzz-Gen.
Currently, OSS-Fuzz-Gen has found a total of 26 bugs since late last year, with one yet to be disclosed. However, the previous bugs did not come with a CVE number.
This vulnerability stems from the X9.62 encoding configuration, which is not commonly used. While it may be a genuine remote code execution vulnerability, the risk is not particularly high. However, applications impacted by this vulnerability must be particularly cautious.
OSS-Fuzz-Gen utilizes machine learning-based LLM intelligence to generate fuzz test suites. If the code does not compile, it will automatically make corrections until it passes and then inject values. Currently, the project supports C/C++/Java/Python languages.
Source: OpenSSL
TLDR: OSS-Fuzz project discovers CVE-2024-9143 vulnerability in OpenSSL, potentially leading to remote code execution. OSS-Fuzz-Gen uses AI to create fuzz tests and supports multiple programming languages.
Leave a Comment