CVE-2023-3817

EPSS 0.33%
Veröffentlicht 31.07.2023 16:15:10
Zuletzt bearbeitet 05.05.2025 16:15:47
Quelle openssl-security@openssl.org
CVE-Watchlists
Login
Unerledigt
Login

Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex()
or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
delays. Where the key or parameters that are being checked have been obtained
from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. After fixing
CVE-2023-3446 it was discovered that a large q parameter value can also trigger
an overly long computation during some of these checks. A correct q value,
if present, cannot be larger than the modulus p parameter, thus it is
unnecessary to perform these checks if q is larger than p.

An application that calls DH_check() and supplies a key or parameters obtained
from an untrusted source could be vulnerable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions.
An application calling any of those other functions may similarly be affected.
The other functions affected by this are DH_check_ex() and
EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
when using the "-check" option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 18

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

OpenSSL ≫ OpenSSL Version >= 3.0.0 < 3.0.10

OpenSSL ≫ OpenSSL Version >= 3.1.0 < 3.1.2

OpenSSL ≫ OpenSSL Version1.0.2 Update-

OpenSSL ≫ OpenSSL Version1.0.2 Updatebeta1

OpenSSL ≫ OpenSSL Version1.0.2 Updatebeta2

OpenSSL ≫ OpenSSL Version1.0.2 Updatebeta3

OpenSSL ≫ OpenSSL Version1.0.2a

OpenSSL ≫ OpenSSL Version1.0.2b

OpenSSL ≫ OpenSSL Version1.0.2c

OpenSSL ≫ OpenSSL Version1.0.2d

OpenSSL ≫ OpenSSL Version1.0.2e

OpenSSL ≫ OpenSSL Version1.0.2f

OpenSSL ≫ OpenSSL Version1.0.2g

OpenSSL ≫ OpenSSL Version1.0.2h

OpenSSL ≫ OpenSSL Version1.0.2i

OpenSSL ≫ OpenSSL Version1.0.2j

OpenSSL ≫ OpenSSL Version1.0.2k

OpenSSL ≫ OpenSSL Version1.0.2l

OpenSSL ≫ OpenSSL Version1.0.2m

OpenSSL ≫ OpenSSL Version1.0.2n

OpenSSL ≫ OpenSSL Version1.0.2o

OpenSSL ≫ OpenSSL Version1.0.2p

OpenSSL ≫ OpenSSL Version1.0.2q

OpenSSL ≫ OpenSSL Version1.0.2r

OpenSSL ≫ OpenSSL Version1.0.2s

OpenSSL ≫ OpenSSL Version1.0.2t

OpenSSL ≫ OpenSSL Version1.0.2u

OpenSSL ≫ OpenSSL Version1.0.2v

OpenSSL ≫ OpenSSL Version1.0.2w

OpenSSL ≫ OpenSSL Version1.0.2x

OpenSSL ≫ OpenSSL Version1.0.2y

OpenSSL ≫ OpenSSL Version1.0.2za

OpenSSL ≫ OpenSSL Version1.0.2zb

OpenSSL ≫ OpenSSL Version1.0.2zc

OpenSSL ≫ OpenSSL Version1.0.2zd

OpenSSL ≫ OpenSSL Version1.0.2ze

OpenSSL ≫ OpenSSL Version1.0.2zf

OpenSSL ≫ OpenSSL Version1.0.2zg

OpenSSL ≫ OpenSSL Version1.0.2zh

OpenSSL ≫ OpenSSL Version1.1.1 Update-

OpenSSL ≫ OpenSSL Version1.1.1 Updatepre1

OpenSSL ≫ OpenSSL Version1.1.1 Updatepre2

OpenSSL ≫ OpenSSL Version1.1.1 Updatepre3

OpenSSL ≫ OpenSSL Version1.1.1 Updatepre4

OpenSSL ≫ OpenSSL Version1.1.1 Updatepre5

OpenSSL ≫ OpenSSL Version1.1.1 Updatepre6

OpenSSL ≫ OpenSSL Version1.1.1 Updatepre7

OpenSSL ≫ OpenSSL Version1.1.1 Updatepre8

OpenSSL ≫ OpenSSL Version1.1.1 Updatepre9

OpenSSL ≫ OpenSSL Version1.1.1a

OpenSSL ≫ OpenSSL Version1.1.1b

OpenSSL ≫ OpenSSL Version1.1.1c

OpenSSL ≫ OpenSSL Version1.1.1d

OpenSSL ≫ OpenSSL Version1.1.1e

OpenSSL ≫ OpenSSL Version1.1.1f

OpenSSL ≫ OpenSSL Version1.1.1g

OpenSSL ≫ OpenSSL Version1.1.1h

OpenSSL ≫ OpenSSL Version1.1.1i

OpenSSL ≫ OpenSSL Version1.1.1j

OpenSSL ≫ OpenSSL Version1.1.1k

OpenSSL ≫ OpenSSL Version1.1.1l

OpenSSL ≫ OpenSSL Version1.1.1m

OpenSSL ≫ OpenSSL Version1.1.1n

OpenSSL ≫ OpenSSL Version1.1.1o

OpenSSL ≫ OpenSSL Version1.1.1p

OpenSSL ≫ OpenSSL Version1.1.1q

OpenSSL ≫ OpenSSL Version1.1.1r

OpenSSL ≫ OpenSSL Version1.1.1s

OpenSSL ≫ OpenSSL Version1.1.1t

OpenSSL ≫ OpenSSL Version1.1.1u

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.552

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-606 Unchecked Input for Loop Condition

The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.

CWE-834 Excessive Iteration

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

https://security.netapp.com/advisory/ntap-20240621-0006/

https://security.gentoo.org/glsa/202402-08

http://seclists.org/fulldisclosure/2023/Jul/43

http://www.openwall.com/lists/oss-security/2023/07/31/1

https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html

http://www.openwall.com/lists/oss-security/2023/09/22/11

http://www.openwall.com/lists/oss-security/2023/09/22/9

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5

Patch

Mailing List