Diffie-Hellman Key Agreement Protocol Exploit in Mozilla's TLS and SSH Implementations
CVE-2022-40735

7.5HIGH

Key Information:

Vendor: Diffie-hellman Key Exchange Project
Status: Diffie-hellman Key Exchange
Vendor: CVE Published:; 14 November 2022

🔔 Create Diffie-hellman Key Exchange Project Vulnerability Alert

What is CVE-2022-40735?

The Diffie-Hellman Key Agreement Protocol may permit the use of excessively long exponents, leading to resource-intensive calculations that could exhaust server capacities. This inefficiency arises from the potential to utilize shorter exponents when subgroup constraints are adequate, resulting in less computationally expensive operations. The exploitation scenarios can vary based on the underlying protocol—in particular, TLS and SSH could experience availability issues due to excessive modular exponentiation demands. Attackers may also leverage this vulnerability in conjunction with CVE-2002-20001, amplifying the potential impact on affected systems.

References

https://github.com/mozilla/ssl-config-generator/issues/162

https://gist.github.com/c0r0n3r/9455ddcab985c50fd1912eabf...

https://link.springer.com/content/pdf/10.1007/3-540-68339...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 14, 2022
Vulnerability Reserved
Sep 15, 2022

JSON