cve-2022-40735
Vulnerability from cvelistv5
Published
2022-11-14 00:00
Modified
2024-08-03 12:28
Severity ?
EPSS score ?
Summary
The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that "(appropriately) short exponents" can be used when there are adequate subgroup constraints, and these short exponents can lead to less expensive calculations than for long exponents. This issue is different from CVE-2002-20001 because it is based on an observation about exponent size, rather than an observation about numbers that are not public keys. The specific situations in which calculation expense would constitute a server-side vulnerability depend on the protocol (e.g., TLS, SSH, or IKE) and the DHE implementation details. In general, there might be an availability concern because of server-side resource consumption from DHE modular-exponentiation calculations. Finally, it is possible for an attacker to exploit this vulnerability and CVE-2002-20001 together.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:28:41.552Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/mozilla/ssl-config-generator/issues/162" }, { "tags": [ "x_transferred" ], "url": "https://gist.github.com/c0r0n3r/9455ddcab985c50fd1912eabf26e058b" }, { "tags": [ "x_transferred" ], "url": "https://link.springer.com/content/pdf/10.1007/3-540-68339-9_29.pdf" }, { "tags": [ "x_transferred" ], "url": "https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol/links/546c144f0cf20dedafd53e7e/Security-Issues-in-the-Diffie-Hellman-Key-Agreement-Protocol.pdf" }, { "tags": [ "x_transferred" ], "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf" }, { "tags": [ "x_transferred" ], "url": "https://www.rfc-editor.org/rfc/rfc4419" }, { "tags": [ "x_transferred" ], "url": "https://www.rfc-editor.org/rfc/rfc5114#section-4" }, { "tags": [ "x_transferred" ], "url": "https://www.rfc-editor.org/rfc/rfc7919#section-5.2" }, { "tags": [ "x_transferred" ], "url": "https://raw.githubusercontent.com/CVEProject/cvelist/9d7fbbcabd3f44cfedc9e8807757d31ece85a2c6/2022/40xxx/CVE-2022-40735.json" }, { "tags": [ "x_transferred" ], "url": "https://www.rfc-editor.org/rfc/rfc3526" }, { "tags": [ "x_transferred" ], "url": "https://dheatattack.gitlab.io/" }, { "tags": [ "x_transferred" ], "url": "https://ieeexplore.ieee.org/document/10374117" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that \"(appropriately) short exponents\" can be used when there are adequate subgroup constraints, and these short exponents can lead to less expensive calculations than for long exponents. This issue is different from CVE-2002-20001 because it is based on an observation about exponent size, rather than an observation about numbers that are not public keys. The specific situations in which calculation expense would constitute a server-side vulnerability depend on the protocol (e.g., TLS, SSH, or IKE) and the DHE implementation details. In general, there might be an availability concern because of server-side resource consumption from DHE modular-exponentiation calculations. Finally, it is possible for an attacker to exploit this vulnerability and CVE-2002-20001 together." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2024-04-23T06:49:41.370072", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://github.com/mozilla/ssl-config-generator/issues/162" }, { "url": "https://gist.github.com/c0r0n3r/9455ddcab985c50fd1912eabf26e058b" }, { "url": "https://link.springer.com/content/pdf/10.1007/3-540-68339-9_29.pdf" }, { "url": "https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol/links/546c144f0cf20dedafd53e7e/Security-Issues-in-the-Diffie-Hellman-Key-Agreement-Protocol.pdf" }, { "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf" }, { "url": "https://www.rfc-editor.org/rfc/rfc4419" }, { "url": "https://www.rfc-editor.org/rfc/rfc5114#section-4" }, { "url": "https://www.rfc-editor.org/rfc/rfc7919#section-5.2" }, { "url": "https://raw.githubusercontent.com/CVEProject/cvelist/9d7fbbcabd3f44cfedc9e8807757d31ece85a2c6/2022/40xxx/CVE-2022-40735.json" }, { "url": "https://www.rfc-editor.org/rfc/rfc3526" }, { "url": "https://dheatattack.gitlab.io/" }, { "url": "https://ieeexplore.ieee.org/document/10374117" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-40735", "datePublished": "2022-11-14T00:00:00", "dateReserved": "2022-09-15T00:00:00", "dateUpdated": "2024-08-03T12:28:41.552Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2022-40735\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2022-11-14T23:15:11.423\",\"lastModified\":\"2024-04-23T07:15:42.550\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that \\\"(appropriately) short exponents\\\" can be used when there are adequate subgroup constraints, and these short exponents can lead to less expensive calculations than for long exponents. This issue is different from CVE-2002-20001 because it is based on an observation about exponent size, rather than an observation about numbers that are not public keys. The specific situations in which calculation expense would constitute a server-side vulnerability depend on the protocol (e.g., TLS, SSH, or IKE) and the DHE implementation details. In general, there might be an availability concern because of server-side resource consumption from DHE modular-exponentiation calculations. Finally, it is possible for an attacker to exploit this vulnerability and CVE-2002-20001 together.\"},{\"lang\":\"es\",\"value\":\"Diffie-Hellman Key Agreement Protocol permite el uso de exponentes largos que posiblemente hacen que ciertos c\u00e1lculos sean innecesariamente costosos, porque el art\u00edculo de van Oorschot y Wiener de 1996 encontr\u00f3 que se pueden usar \\\"exponentes (apropiadamente) cortos\\\" cuando existen restricciones de subgrupo adecuadas, y estos exponentes cortos pueden conducir a c\u00e1lculos menos costosos que los de exponentes largos. Este problema es diferente de CVE-2002-20001, porque se basa en una observaci\u00f3n sobre el tama\u00f1o del exponente, en lugar de una observaci\u00f3n sobre n\u00fameros que no son claves p\u00fablicas. Las situaciones espec\u00edficas en las que el gasto de c\u00e1lculo constituir\u00eda una vulnerabilidad del lado del servidor dependen del protocolo (por ejemplo, TLS, SSH o IKE) y los detalles de implementaci\u00f3n de DHE. En general, puede haber un problema de disponibilidad debido al consumo de recursos del lado del servidor a partir de los c\u00e1lculos de exponenciaci\u00f3n modular de DHE. Finalmente, es posible que un atacante aproveche esta vulnerabilidad y CVE-2002-20001 juntos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:diffie-hellman_key_exchange_project:diffie-hellman_key_exchange:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"43F56DA8-0635-41E8-B91C-485695B587AD\"}]}]}],\"references\":[{\"url\":\"https://dheatattack.gitlab.io/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://gist.github.com/c0r0n3r/9455ddcab985c50fd1912eabf26e058b\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/mozilla/ssl-config-generator/issues/162\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://ieeexplore.ieee.org/document/10374117\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://link.springer.com/content/pdf/10.1007/3-540-68339-9_29.pdf\",\"source\":\"cve@mitre.org\",\"tags\":[\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf\",\"source\":\"cve@mitre.org\",\"tags\":[\"Technical Description\",\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://raw.githubusercontent.com/CVEProject/cvelist/9d7fbbcabd3f44cfedc9e8807757d31ece85a2c6/2022/40xxx/CVE-2022-40735.json\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol/links/546c144f0cf20dedafd53e7e/Security-Issues-in-the-Diffie-Hellman-Key-Agreement-Protocol.pdf\",\"source\":\"cve@mitre.org\",\"tags\":[\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://www.rfc-editor.org/rfc/rfc3526\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.rfc-editor.org/rfc/rfc4419\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.rfc-editor.org/rfc/rfc5114#section-4\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.rfc-editor.org/rfc/rfc7919#section-5.2\",\"source\":\"cve@mitre.org\"}]}}" } }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.