CVE-2022-40735

EPSS 2.3%
Veröffentlicht 14.11.2022 23:15:11
Zuletzt bearbeitet 21.11.2024 07:21:56
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that "(appropriately) short exponents" can be used when there are adequate subgroup constraints, and these short exponents can lead to less expensive calculations than for long exponents. This issue is different from CVE-2002-20001 because it is based on an observation about exponent size, rather than an observation about numbers that are not public keys. The specific situations in which calculation expense would constitute a server-side vulnerability depend on the protocol (e.g., TLS, SSH, or IKE) and the DHE implementation details. In general, there might be an availability concern because of server-side resource consumption from DHE modular-exponentiation calculations. Finally, it is possible for an attacker to exploit this vulnerability and CVE-2002-20001 together.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 15

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Diffie-hellman Key Exchange Project ≫ Diffie-hellman Key Exchange Version-

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.3%	0.811

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://dheatattack.gitlab.io/

https://github.com/mozilla/ssl-config-generator/issues/162

Third Party Advisory

Issue Tracking

https://ieeexplore.ieee.org/document/10374117

https://gist.github.com/c0r0n3r/9455ddcab985c50fd1912eabf26e058b

Third Party Advisory

https://link.springer.com/content/pdf/10.1007/3-540-68339-9_29.pdf

Third Party Advisory

Technical Description

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf

Third Party Advisory

US Government Resource

Technical Description

https://raw.githubusercontent.com/CVEProject/cvelist/9d7fbbcabd3f44cfedc9e8807757d31ece85a2c6/2022/40xxx/CVE-2022-40735.json

https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol/links/546c144f0cf20dedafd53e7e/Security-Issues-in-the-Diffie-Hellman-Key-Agreement-Protocol.pdf

Third Party Advisory

Technical Description

https://www.rfc-editor.org/rfc/rfc3526

https://www.rfc-editor.org/rfc/rfc4419

https://www.rfc-editor.org/rfc/rfc5114#section-4

https://www.rfc-editor.org/rfc/rfc7919#section-5.2

https://nvd.nist.gov/vuln/detail/CVE-2022-40735

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-40735

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-40735

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-40735