Excessive delays in checking DSA keys or parameters may lead to Denial of Service attacks
CVE-2024-4603

Currently unrated

Key Information:

Vendor: OpenSSL
Status: OpenSSL
Vendor: CVE Published:; 16 May 2024

Summary

The vulnerability arises from the handling of excessively long DSA keys or parameters, which can significantly slow down applications utilizing OpenSSL. When employing the EVP_PKEY_param_check() and EVP_PKEY_public_check() functions to validate DSA public keys or DSA parameters obtained from untrusted sources, applications may become susceptible to Denial of Service (DoS) attacks due to prolonged processing times. These functions internally perform checks on DSA parameters without imposing limits on modulus sizes, potentially leading to delays when excessively large moduli are involved. Notably, while OpenSSL itself does not call these functions on untrusted DSA keys, any application directly invoking them may expose itself to this risk. The affected versions include OpenSSL 3.0 and 3.1, particularly in environments where FIPS providers are implemented.

Affected Version(s)

OpenSSL 3.0.0 < 3.0.14

OpenSSL 3.1.0 < 3.1.6

OpenSSL 3.2.0 < 3.2.2

References

https://www.openssl.org/news/secadv/20240516.txt

vendor-advisory

https://github.com/openssl/openssl/commit/3559e868e58005d...

patch

https://github.com/openssl/openssl/commit/9c39b3858091c15...

patch

Timeline

Vulnerability published
May 16, 2024
Vulnerability Reserved
May 7, 2024

Credit

OSS-Fuzz

Tomas Mraz