Resource exhaustion in Diffie-Hellman key exchange

#VU98050 Resource exhaustion in Diffie-Hellman key exchange

Published: 2024-10-06

Vulnerability identifier: #VU98050

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-41996

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Diffie-Hellman key exchange
Universal components / Libraries / Software for developers

Vendor: Diffie-Hellman key exchange

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to unnecessary validation of the public keys in the Diffie-Hellman Key Agreement Protocol when an approved safe prime is used. A remote attacker from the client side can trigger unnecessarily expensive server-side DHE modular-exponentiation calculations and cause asymmetric resource consumption, resulting in a denial of service (DoS) attack.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Diffie-Hellman key exchange: All versions

External links
http://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1
http://dheatattack.gitlab.io/details/
http://dheatattack.gitlab.io/faq/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for openssl-3

Denial of service in Diffie-Hellman Key Agreement Protocol implementation