CVE-2023-3446

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 41.0.3

Description The issue is related to the functions DH check(), DH check ex(), and EVP PKEY param check() in the OpenSSL library. These functions can cause long delays when checking excessively long DH keys or parameters, potentially leading to a Denial of Service (DoS) attack if the key or parameters are obtained from an untrusted source. The DH check() function performs various checks on DH parameters, including confirming that the modulus (p parameter) is not too large. However, trying to use a very large modulus is slow, and OpenSSL will not normally use a modulus over 10,000 bits in length. The OpenSSL SSL/TLS implementation and the OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Recommendations To resolve the issue, update to OpenSSL version 41.0.3 or later. As a temporary workaround, consider restricting the use of the DH check(), DH check ex(), and EVP PKEY param check() functions to minimize the risk of exploitation. Avoid using the p parameter with large modulus values in the affected functions until the issue is resolved.