NeuVector, TLS Verification Bypass, CVE-2024-39956 (Critical)

By /

Listen to this Post

The CVE-2024-39956 vulnerability in NeuVector arises from the default disabling of TLS certificate verification for OpenID Connect authentication and other connections. When NeuVector communicates with external servers such as identity providers, registries, or webhooks via TLS, it fails to validate the server’s digital certificate if TLS verification is not enabled. This omission allows an attacker positioned to intercept network traffic—such as on the same network—to perform a man-in-the-middle (MITM) attack. The attacker can present a self-signed or fraudulent certificate to the NeuVector client, which accepts it without verification. Consequently, the TLS-encrypted session can be decrypted or manipulated, exposing authentication tokens, login credentials, or other sensitive data transmitted during the OpenID Connect flow. This flaw affects all connection types where TLS verification is applicable, including auth servers (SAML, LDAP, OIDC), registry servers, and webhook servers. Starting from version 5.4.0, NeuVector introduced support for TLS verification but kept it disabled by default to maintain backward compatibility. In unpatched versions prior to 5.4.8, this configuration remains, leaving systems vulnerable unless manually adjusted. The vulnerability is critical in environments where NeuVector is deployed without stringent network controls or where internal CA certificates are not enforced, as it undermines the integrity and confidentiality of authentication and data exchange processes.
Platform: NeuVector
Version: Prior to 5.4.8
Vulnerability: TLS Verification Bypass
Severity: Critical
Date: 2024-08-01

Prediction: Patched in v5.4.8

What Undercode Say:

Analytics

  • Check deployed version: `kubectl get deployment neuvector -n neuvector -o jsonpath='{.spec.template.spec.containers[bash].image}’`
    – Verify TLS setting: `kubectl get configmap neuvector-config -n neuvector -o yaml | grep tls_verification`
    – Enable via kubectl: `kubectl patch configmap neuvector-config -n neuvector –type merge -p ‘{“data”:{“tls_verification”:”true”}}’`

How Exploit:

  • Intercept TLS traffic using tools like mitmproxy or sslsplit.
  • Spoof identity provider with self-signed certificate.
  • Capture authentication tokens and credentials.

Protection from this CVE

  • Enable TLS verification in UI: Settings > Configuration.
  • Upgrade to version 5.4.8+.
  • Use valid CA-signed certificates.

Impact:

  • Man-in-the-middle attacks.
  • Authentication bypass.
  • Data exposure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top