Bug 1205476 (CVE-2022-40735) - VUL-0: CVE-2022-40735: long exponents in Diffie-Hellman Key Agreement Protocol allow remote attackers to trigger expensive server-side DHE modular-exponentiation
Summary: VUL-0: CVE-2022-40735: long exponents in Diffie-Hellman Key Agreement Protoco...
Status: RESOLVED FIXED
Alias: CVE-2022-40735
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/348108/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-11-16 10:25 UTC by Carlos López
Modified: 2024-08-01 12:50 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-11-16 10:25:32 UTC 
CVE-2022-40735

Using long exponents in the Diffie-Hellman Key Agreement Protocol allows remote
attackers (from the client side) to trigger unnecessarily expensive server-side
DHE modular-exponentiation calculations. An attacker may cause asymmetric
resource consumption with any common client application which uses a DHE
implementation that applies short exponents. The attack may be more disruptive
in cases where a client sends arbitrary numbers that are actually not DH public
keys (aka the D(HE)ater attack) or can require a server to select its largest
supported key size. The basic attack scenario is that the client must claim that
it can only communicate with DHE, and the server must be configured to allow
DHE. This can affect TLS, SSH, and IKE.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40735
https://www.cve.org/CVERecord?id=CVE-2022-40735
https://github.com/mozilla/ssl-config-generator/issues/162
https://gist.github.com/c0r0n3r/9455ddcab985c50fd1912eabf26e058b
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
https://link.springer.com/content/pdf/10.1007/3-540-68339-9_29.pdf
https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol/links/546c144f0cf20dedafd53e7e/Security-Issues-in-the-Diffie-Hellman-Key-Agreement-Protocol.pdf
Comment 1 Marcus Meissner 2022-11-16 10:28:14 UTC 
SUSE general guidance from the DHEATER issue is the same as here, move away from DHE key exchanges.
Comment 2 Thomas Leroy 2022-12-06 15:12:22 UTC 
Nothing much we can do besides bsc#1192815.

Cf guidelines for CVE-2002-20001 [0].

[0] https://www.suse.com/support/kb/doc/?id=000020510
Comment 3 Marcus Meissner 2023-05-22 15:48:08 UTC 
https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration/


for openssl 3.0 there is apparently a "fix" in 3.0.6?

https://github.com/openssl/openssl/pull/18793/files

we could do a minor version upgrade of our current supported openssl 3 versions to 3.0.6
Comment 4 Pedro Monreal Gonzalez 2023-05-22 21:03:14 UTC 
(In reply to Marcus Meissner from comment #3)
> https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration/
> 
> 
> for openssl 3.0 there is apparently a "fix" in 3.0.6?
> 
> https://github.com/openssl/openssl/pull/18793/files
> 
> we could do a minor version upgrade of our current supported openssl 3
> versions to 3.0.6

Thanks, Marcus! I'm assigning the bug to Otto as he is about to submit a couple of fixes together for openssl-3 and also to not lose track of this one. We are evaluating to update to 3.0.8 or even to a higher version.
Comment 5 Pedro Monreal Gonzalez 2023-05-22 21:03:49 UTC 
See also: https://github.com/openssl/openssl/issues/17374
Comment 6 Otto Hollmann 2023-05-29 12:46:55 UTC 
I backported mentioned patch and OpenSSL builds fine.


Also I checked changelog between 3.0.1 and 3.0.8 and found only 2 potential issues/changes:

* The negative return value handling of the certificate verification callback was reverted. The replacement is to set the verification retry state with the SSL_set_retry_verify() function.
* The functions OPENSSL_LH_stats and OPENSSL_LH_stats_bio now only report the num_items, num_nodes and num_alloc_nodes statistics. All other statistics are no longer supported. For compatibility, these statistics are still listed in the output but are now always reported as zero.

Remaining changelog entries are only bug-fixes and I'm not aware of their side effects. It should be safe to upgrade to version 3.0.8.
Also then we would be able to remove about 37 (mostly) security patches from our codestream.
Comment 7 Otto Hollmann 2023-05-31 14:21:03 UTC 
After discussion with Marcus (off bugzilla) we agreed to upgrade OpenSSL in SLE15-SP4 to the same version (3.0.8) as in SLE15-SP5.

Because this issue was fixed in 3.0.6, only one codestream (openssl-3.SUSE_SLE-15-SP4_Update) was affected.

Respective submission can be found here:

> Codestream              Package            Request
> ------------------------------------------------------------------------------------
> SUSE:SLE-15-SP4:Update  openssl-3          https://build.suse.de/request/show/300182
Comment 8 Otto Hollmann 2023-06-02 07:34:23 UTC 
Request accepted, assigning back to security team.
Comment 9 Maintenance Automation 2023-06-08 08:30:08 UTC 
SUSE-SU-2023:2470-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1205476, 1210714, 1211430
CVE References: CVE-2022-40735, CVE-2023-1255, CVE-2023-2650
Sources used:
Basesystem Module 15-SP4 (src): openssl-3-3.0.8-150400.4.26.1
openSUSE Leap 15.4 (src): openssl-3-3.0.8-150400.4.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Robert Frohl 2024-05-03 09:13:50 UTC 
done, closing