Deutsche Telekom Discloses Security Vulnerabilities Found by Internal Testers

Deutsche Telekom has disclosed details regarding several security vulnerabilities discovered by its internal security evaluators in software solutions it utilizes. The company adheres to a responsible disclosure policy, releasing information only after vulnerabilities have been corrected and affected parties have provided their consent.

Recent findings include two remote buffer overflow vulnerabilities within the SharkSSL TLS library. The first, CVE-2024-53379, affects the Client Hello handshake processing and was reported in December 2024. A second vulnerability, CVE-2024-48075, related to Client Key Exchange handshake processing, was published in November 2024.

The company also reported a critical denial-of-service (DoS) vulnerability (CVE-2023-24609) in the MatrixSSL TLSv1.3 library's pre-shared-key parsing, discovered in December 2023. Additionally, a critical DNS leakage vulnerability was identified in the Strongswan mobile VPN client (discovered December 2023), and a further critical remote buffer overflow vulnerability was found in MatrixSSL TLSv1.3 server message processing (CVE-2022-43974, published January 2023).

These discoveries were made by security evaluators from Deutsche Telekom Security GmbH and Deutsche Telekom AG using modern fuzzing techniques. The company aims to contribute to cybersecurity by publishing technical comments and CERT advisories, potentially assisting other organizations in identifying and addressing similar threats.