#VU82894 Resource management error in OpenSSL - CVE-2023-5678

Cybersecurity Help s.r.o.

Published: 2023-11-07 | Updated: 2024-04-08

Vulnerability identifier: #VU82894

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-5678

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within DH_generate_key() and DH_check_pub_key() functions. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSL: 1.0.2h - 1.0.2p, 1.1.1d - 1.1.1p, 3.0.0 - 3.0.12, 3.1.0 - 3.1.4

External links
https://www.openssl.org/news/secadv/20231106.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Dell Client Platform update for AMI BIOS

Multiple vulnerabilities in Dell NetWorker and NetWorker Management Console

Multiple vulnerabilities in IBM Voice Gateway

Multiple vulnerabilities in IBM webMethods Managed File Transfer

Multiple vulnerabilities in Dell PowerProtect Data Manager

Dell EMC NetWorker vProxy update for third-party components

Anolis OS update for openssl

Multiple vulnerabilities in IBM Cloud Pak for AIOps

Multiple vulnerabilities in IBM Storage Protect Backup-Archive Client

Cisco NX-OS Firmware update for Openssl