Showing 1 - 5 of 5

CVE-2024-4603

Status Candidate

Overview

Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (`p` parameter) is too large. Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks. An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. These functions are not called by OpenSSL itself on untrusted DSA keys so only applications that directly call these functions may be vulnerable. Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the `-check` option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.

Related Files

Ubuntu Security Notice USN-6937-1: Posted Aug 1, 2024; Authored by Ubuntu | Site security.ubuntu.com; Ubuntu Security Notice 6937-1 - It was discovered that OpenSSL incorrectly handled TLSv1.3 sessions when certain non-default TLS server configurations were in use. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, leading to a denial of service. It was discovered that OpenSSL incorrectly handled checking excessively long DSA keys or parameters. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, leading to a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.; tags | advisory, remote, denial of service; systems | linux, ubuntu; advisories | CVE-2024-2511, CVE-2024-4603, CVE-2024-4741, CVE-2024-5535; SHA-256 | c8595adc7fa4495060ec748b444e17442f4a82570c3c5f9b77fbc6213de8ea38; Download | Favorite | View

OpenSSL Toolkit 3.3.1: Posted Jun 6, 2024; Site openssl.org; OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide.; Changes: Fixed potential use after free after SSL_free_buffers() is called. Fixed an issue where checking excessively long DSA keys or parameters may be very slow.; tags | tool, encryption, protocol; systems | unix; advisories | CVE-2024-4603, CVE-2024-4741; SHA-256 | 777cd596284c883375a2a7a11bf5d2786fc5413255efab20c50d6ffe6d020b7e; Download | Favorite | View

OpenSSL Toolkit 3.2.2: Posted Jun 6, 2024; Site openssl.org; OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide.; Changes: Fixed potential use after free after SSL_free_buffers() is called. Fixed an issue where checking excessively long DSA keys or parameters may be very slow. Fixed unbounded memory growth with session handling in TLSv1.3.; tags | tool, encryption, protocol; systems | unix; advisories | CVE-2024-2511, CVE-2024-4603, CVE-2024-4741; SHA-256 | 197149c18d9e9f292c43f0400acaba12e5f52cacfe050f3d199277ea738ec2e7; Download | Favorite | View

OpenSSL Toolkit 3.1.6: Posted Jun 6, 2024; Site openssl.org; OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide.; Changes: Fixed potential use after free after SSL_free_buffers() is called. Fixed an issue where checking excessively long DSA keys or parameters may be very slow. Fixed unbounded memory growth with session handling in TLSv1.3.; tags | tool, encryption, protocol; systems | unix; advisories | CVE-2024-2511, CVE-2024-4603, CVE-2024-4741; SHA-256 | 5d2be4036b478ef3cb0a854ca9b353072c3a0e26d8a56f8f0ab9fb6ed32d38d7; Download | Favorite | View

OpenSSL Toolkit 3.0.14: Posted Jun 6, 2024; Site openssl.org; OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide.; Changes: Fixed potential use after free after SSL_free_buffers() is called. Fixed an issue where checking excessively long DSA keys or parameters may be very slow. Fixed unbounded memory growth with session handling in TLSv1.3.; tags | tool, encryption, protocol; systems | unix; advisories | CVE-2024-2511, CVE-2024-4603, CVE-2024-4741; SHA-256 | eeca035d4dd4e84fc25846d952da6297484afa0650a6f84c682e39df3a4123ca; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days

Red Hat 227 files
indoushka 136 files
Jay Turla 111 files
Ubuntu 63 files
Gentoo 33 files
Debian 27 files
sinn3r 23 files
h00die 23 files
Pedro Ribeiro 21 files
juan vazquez 18 files

File Archives

Systems

AIX (429)
Apple (2,104)
BSD (377)
CentOS (58)
Cisco (1,944)
Debian (7,112)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (880)
iOS (386)
iPhone (108)
IRIX (220)
Juniper (70)
Linux (50,966)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,661)
Slackware (941)
Solaris (1,614)
SUSE (1,444)
Ubuntu (9,788)
UNIX (9,443)
UnixWare (187)
Windows (6,732)
Other

CVE-2024-4603

Overview

Related Files

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems