CVE-2022-40735
Published: 14 November 2022
The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that "(appropriately) short exponents" can be used when there are adequate subgroup constraints, and these short exponents can lead to less expensive calculations than for long exponents. This issue is different from CVE-2002-20001 because it is based on an observation about exponent size, rather than an observation about numbers that are not public keys. The specific situations in which calculation expense would constitute a server-side vulnerability depend on the protocol (e.g., TLS, SSH, or IKE) and the DHE implementation details. In general, there might be an availability concern because of server-side resource consumption from DHE modular-exponentiation calculations. Finally, it is possible for an attacker to exploit this vulnerability and CVE-2002-20001 together.
From the Ubuntu Security Team
It was discovered that OpenSSL failed to choose an appropriately short private key size when computing shared-secrets in the Diffie-Hellman Key Agreement Protocol. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service.
Notes
| Author | Note |
|---|---|
| alexmurray | It would appear upstream openssl fixed this in 3.1.0 via https://github.com/openssl/openssl/pull/18480 |
| mdeslaur | This was backported to 3.0.6 via https://github.com/openssl/openssl/pull/18793 doesn't affect 1.x |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
edk2 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(3.x only)
|
| focal |
Not vulnerable
(3.x only)
|
|
| jammy |
Not vulnerable
(3.x only)
|
|
| kinetic |
Ignored
(end of life, was needs-triage)
|
|
| lunar |
Ignored
(end of life, was deferred)
|
|
| mantic |
Not vulnerable
(3.x only)
|
|
| noble |
Not vulnerable
(contains 3.0.9)
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(3.x only)
|
|
|
nodejs Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(uses system openssl1.0)
|
| focal |
Not vulnerable
(uses system openssl)
|
|
| jammy |
Needed
|
|
| kinetic |
Not vulnerable
(uses system openssl)
|
|
| lunar |
Not vulnerable
(uses system openssl)
|
|
| mantic |
Not vulnerable
(uses system openssl)
|
|
| noble |
Not vulnerable
(uses system openssl)
|
|
| trusty |
Not vulnerable
(uses system openssl)
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(uses system openssl)
|
|
|
openssl Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(3.x only)
|
| focal |
Not vulnerable
(1.1.1f-1ubuntu2.22)
|
|
| jammy |
Released
(3.0.2-0ubuntu1.16)
|
|
| kinetic |
Ignored
(end of life, was needs-triage)
|
|
| lunar |
Ignored
(end of life, was needs-triage)
|
|
| mantic |
Not vulnerable
(3.0.10-1ubuntu2.3)
|
|
| noble |
Not vulnerable
(3.0.13-0ubuntu3)
|
|
| trusty |
Not vulnerable
(3.x only)
|
|
| upstream |
Released
(3.0.6)
|
|
| xenial |
Not vulnerable
(3.x only)
|
|
|
Patches: upstream: https://github.com/openssl/openssl/commit/8ed6ddcaa559b7b04202c15ea3a95ee0b05caeba upstream: https://github.com/openssl/openssl/commit/c9bdbc12ac7343992ba249e11d2bda3338469a97 upstream: https://github.com/openssl/openssl/commit/5eac066bef0c23bb74255423d335e634e4deb8d5 upstream: https://github.com/openssl/openssl/commit/ce4579adf94d5f26e566a1e04c8a52ec5943cdd0 |
||
|
openssl1.0 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(3.x only)
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needed
|
|
| xenial |
Does not exist
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
- https://github.com/mozilla/ssl-config-generator/issues/162
- https://link.springer.com/content/pdf/10.1007/3-540-68339-9_29.pdf
- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
- https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol/links/546c144f0cf20dedafd53e7e/Security-Issues-in-the-Diffie-Hellman-Key-Agreement-Protocol.pdf
- https://gist.github.com/c0r0n3r/9455ddcab985c50fd1912eabf26e058b
- https://www.rfc-editor.org/rfc/rfc4419
- https://www.rfc-editor.org/rfc/rfc7919#section-5.2
- https://www.rfc-editor.org/rfc/rfc3526
- https://raw.githubusercontent.com/CVEProject/cvelist/9d7fbbcabd3f44cfedc9e8807757d31ece85a2c6/2022/40xxx/CVE-2022-40735.json
- https://www.rfc-editor.org/rfc/rfc5114#section-4
- https://github.com/openssl/openssl/pull/18480
- https://ieeexplore.ieee.org/document/10374117
- https://www.cve.org/CVERecord?id=CVE-2022-40735
- https://ubuntu.com/security/notices/USN-6854-1
- NVD
- Launchpad
- Debian