SSL: OpenSSL Large DH Parameter Denial of Service
This signature detects denial of service attempts against the OpenSSL. Successful exploitation will cause the OpenSSL client, which may be a server application, to use up high CPU resources in computing DH keys using the maliciously crafted DH prime, leading to resource exhaustion and cause denial of service.
Extended Description
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).
Affected Products
Nodejs node.js
Short Name
SSL:VULN:OPENSSL-DH-DOS
Severity
Minor
Recommended
True
Recommended Action
Drop
Category
SSL
Keywords
CVE-2018-0732 DH Denial Large OpenSSL Parameter Service bid:104442 of
Release Date
06/19/2018
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3590
False Positive
Unknown
Vendors
Openssl
Nodejs
Debian
Canonical
CVSS Score
5.0