Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2002-20001: GitHub - Balasys/dheater: D(HE)ater is a proof of concept implementation of the D(HE)at attack (CVE-2002-20001) through which denial-of-service can be performed by enforcing the Diffie-Hellman key ex

The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.

CVE
#web#ddos#dos#apache#git#nginx#auth#ssh#docker#ssl

D(HE)ater

D(HE)ater is an attacking tool based on CPU heating in that it forces the ephemeral variant of Diffie-Hellman key exchange (DHE) in given cryptography protocols (e.g. TLS, SSH). It is performed without calculating a cryptographically correct ephemeral key on the client-side, but with a significant amount of calculation on the server-side. Based on this, a denial-of-service (DoS) attack can be initiated, called D(HE)at attack (CVE-2002-20001).

Quick start

D(HE)ater can be installed directly via pip from PyPi

pip install dheater dheat --protocol tls ecc256.badssl.com dheat --protocol ssh ecc256.badssl.com

or can be used via Docker from Docker Hub

docker pull balasys/dheater docker run --tty --rm balasys/dheater --protocol tls ecc256.badssl.com docker run --tty --rm balasys/dheater --protocol ssh ecc256.badssl.com

You can increase load by string extra threads.

dheat --thread-num 4 --protocol tls ecc256.badssl.com docker run --tty --rm balasys/dheater --thread-num 4 --protocol tls ecc256.badssl.com docker run --tty --rm balasys/dheater --thread-num 4 --protocol ssh ecc256.badssl.com

Check

Without attacking a server or accessing its configuration it is still possible to determine whether Diffie-Hellman (DH) key exchange is enabled and if so what DH parameters (prime, genrator, key size) are used. Command line tools such as CryptoLyzer (TLS, SSH KEX/GEX), testssl.sh (TLS only), or ssh-audit (SSH KEX only) can do that work.

TLS

cryptolyze tls1_2 dhparams example.com
cryptolyze tls1_3 dhparams example.com

testssl.sh --fs example.com

SSH

cryptolyze ssh2 dhparams example.com

ssh-audit example.com

Mitigation****Configuration

Diffie-Hellman (DHE) key exchange should be disabled if no other mitigation mechanism can be used and either elliptic-curve variant of Diffie-Hellman (ECDHE) or RSA key exchange is supported by the clients. The fact that RSA key exchange is not forward secret should be considered.

TLS

Elliptic-curve (named group) setting is necessary only if the underlying cryptographic library supports negotiation Diffie-Hellman groups by implementing RFC7919 in TLS 1.2 or supporting the Finite Field Diffie-Hellman parameter groups named groups in TLS 1.3.

Library

Version

FFDHE goups
in TLS 1.2

FFDHE groups
in TLS 1.3

OpenSSL

< 3.0

no

no

OpenSSL

≥ 3.0

no

yes

GnuTLS

≥ 3.5.6

yes

no

GnuTLS

≥ 3.6.3

yes

yes

Apache

SSLCipherSuite ...:!kDHE
SSLOpenSSLConfCmd Groups x25519:secp256r1:x448:secp521r1:secp384r1

NGINX

ssl_ciphers ...:!kDHE;
ssl_ecdh_curve x25519:secp256r1:x448:secp521r1:secp384r1;

Postfix

  1. Diffie-Hellman key exchange algorithms can be removed by setting the tls_medium_cipherlist configuration option.

    tls_medium_cipherlist …:!kDHE

  2. Maximal number of new TLS sessions that a remote SMTP client is allowed to negotiate can be controlled by configuration option smtpd_client_new_tls_session_rate_limit configuration option.

    smtpd_client_new_tls_session_rate_limit 100

Others

See moz://a SSL Configuration Generator for configuration syntax.

DH parameter files

If DH key exchange need to be supported recommended private key length value should be set to ensure the best performance of DH key exchange this option value should be set appropriately to achieve the best performance without a security risk.

You can check whether you DH parameter file contains the recommended private key value by the following command:

tools/dh_param_priv_key_size_setter /path/to/dh/parameter/file.pem

The result looks like the following. If the original private key size is None it some cryptographic libraries use the public size for private key size unless the application server overrides this behaviour. This will cause much lower performance than small private keys would be used.

Original private key size: None
Set private key size: None
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

To set the recommended private key size in a DH parameter file use the following commmand:

tools/dh_param_priv_key_size_setter --private-key-size KEY_SIZE /path/to/dh/parameter/file.pem

For appropriately private key sizes see Table 2 of NIST SP 800-57 Part 1. Alternatively you can download the well-know DH parameters where the recommended private key size is set according to OpenSSL default values from data directory.

SSH****OpenSSH

  1. Diffie-Hellman key exchange algorithms can be removed by setting the KexAlgorithms configuration option.

    KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group1-sha256,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha256,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha512

  2. Maximum number of concurrent unauthenticated connections can be controlled by some configuration options

    • MaxStartups (globally)

      MaxStartups 10:30:100

    • PerSourceMaxStartups (per source IP subnetworks)

      PerSourceMaxStartups 1

    • PerSourceNetBlockSize (size of the subnetworks grouped together)

      PerSourceNetBlockSize 32:128

Fail2Ban****TLS****Apache

There are no relevant filters.

  1. apache-ssl.conf in fail2ban directory should be copied to the filter.d directory under the fail2ban configuration directory

  2. the followings should be added to the jail.local file in the fail2ban configuration directory

    [apache-ssl]

    port = https logpath = %(apache_error_log)s maxretry = 1

Postfix

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to jail.local.

Dovecot

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to jail.local.

[dovecot] mode = aggressive

or a specific filter can be used without changing the mode of dovecot.

  1. dovecot-ssl.conf in fail2ban directory should be copied to the filter.d directory under the fail2ban configuration directory

  2. the followings should be added to jail.local in tge fail2ban configuration directory

    [dovecot-ssl]

    port = pop3,pop3s,imap,imaps,submission,465,sieve logpath = %(dovecot_log)s backend = %(dovecot_backend)s maxretry = 1

SSH****OpenSSH

There is a relevant filter, but it is applied only in ddos mode. The followings should be added to jail.local.

License

The code is available under the terms of Apache License Version 2.0. A non-comprehensive, but straightforward description and also the full license text can be found at Choose an open source license website.

Related news

CVE-2022-43540

A vulnerability exists in the ClearPass OnGuard macOS agent that allows for an attacker with local macOS instance access to potentially obtain sensitive information. A successful exploit could allow an attacker to retrieve information that is of a sensitive nature in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below.

CVE-2022-37885

There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5.4.23 and below; Aruba InstantOS 8.6.x: 8.6.0.18 and below; Aruba InstantOS 8.7.x: 8.7.1.9 and below; Aruba InstantOS 8.10.x: 8.10.0.1 and below; ArubaOS 10.3.x: 10.3.1.0 and below; Aruba has released upgrades for Aruba InnstantOS that address these security vulnerabilities.

CVE-2021-41003

Multiple unauthenticated command injection vulnerabilities were discovered in the AOS-CX API interface in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): AOS-CX 10.06.xxxx: 10.06.0170 and below, AOS-CX 10.07.xxxx: 10.07.0050 and below, AOS-CX 10.08.xxxx: 10.08.1030 and below, AOS-CX 10.09.xxxx: 10.09.0002 and below. Aruba has released upgrades for Aruba AOS-CX devices that address these security vulnerabilities.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907